cmon Rele ase 1.0 


VOLUME 23, NO. 4| APRIL 2005 www.releasel-O.com 


Spy vs. Spy: The Accountable Net Part I 


INSIDE 


SPY VS. SPY 1 

Making distinctions 
From spying to invading 
Box: Spies in the Bazaar 

The Roles 6 
Adware vendors 
Box: A Brief History of Adware 
Pressures and opportunities 
The anti-spyware forces 
Consumers in control? 
Advertisers: Where the money comes from 
Download sites 

The State of Play 15 
Legislation: Making distinctions matter 
Box: Taking the Test 
Hold tightly to the hand of nurse... 
Other initiatives 

The Market and the Players 20 
Score card/Report card 
Box: What is informed consent? 
Claria: The company it keeps 
WhenU: Back to its roots 
180solutions: Fixer-upper 
DirectRevenue: Indirect presence 


Redemption at Last? 47 


Resources & Contact Information 49 


Calendar of High-Tech Events 50 


Dont get caught looking: 
Subscribe to Release 1.0. Visit 
www.release1-O.com or use the 


subscription form on the last page. 


BY ESTHER DYSON 


Last November we wrote about spam, and how that scourge could be 
addressed (not solved) by a horizontal approach — “the accountable 

Net” of interacting consumer awareness, vendor tools, authentication 
mechanisms and reputation systems, rather than a top-down regula- 


tory approach. (SEE RELEASE 1.0, NOVEMBER 2004.) 


This issue of Release 1.0 covers spyware — a serious Net-hygiene prob- 
lem that is replacing spam as the scourge of the year — and its counter- 
part, adware. The mechanism to address it is similar: an accountable 
Net of consumer awareness, authentication mechanisms and branding 
of ads and their sources, and legislation to define the rules even if it is 
primarily the market that will enforce them. We believe that these 
mechanisms are beginning to work: The increasing visibility of the 
problems is accompanied by the increased transparency (and account- 
ability) that will lead to a healthier market and a healthier Net. But 
this transition is a reminder of just how messy peer-to-peer regulation 
can be. (Imagine what it would be like if we could the same for, say, 
cell-phone companies and their cryptic billing practices!) 


There are many similarities between spam and spyware. In each 
sphere, there’s a range of behavior, from direct mail to spam and 
phishing, and from adware to spyware and malware — and disagree- 
ments on which is which, depending in part on individual prefer- 
ences. With proper disclosure and technology mechanisms just now 
coming into play, most individuals will be able to choose what they 
want. We limn these developments below and then profile four 
leading players in the space. 


Also in each sphere, there’s an important baby in the bathwater. In 
the case of e-mail and spam, the baby is the e-mail infrastructure 


{ continued on page 2 } 


Release 1.0® (ISSN 1047-935xX) is 
published monthly except for a 
combined July/August issue by CNET 
Networks, 104 Fifth Avenue, New York, 
NY 10011-6987; 1 (212) 924-8800; fax, 1 
(212) 924-0240; www.release1-O.com. 
It covers the worlds of information 
technology and the Internet, including 
wireless communications, security, 
business models, online services, 
tracking systems, identity management 
and other unpredictable topics. ..and 
the policy issues they raise. 


EDITOR: Esther Dyson 
(edyson@release1-0.com) 


PUBLISHER: Daphne Kis 
(daphne@release1-0.com) 


MANAGING EDITOR: Christina Koukkos 
(christina@release1-O0.com) 


CONTRIBUTING WRITERS: Dan Farber 
(dan.farber@cnet.com), Dan 
Gillmor (dan@gillmor.com), 
Steven Johnson (stevenberlin- 
johnson@earthlink.net), 

Clay Shirky (clay@shirky.com), 
Dave Weinberger 
(self@evident.com) 


CIRCULATION MANAGER: Brodie Crawford 
(brodie@release1-0.com) 


SYSTEMS MANAGER: Geoff Clarke 
(geoff@release1-0.com) 


EDITORIAL COORDINATOR: Kate Tobin 
(kate@release1-0.com) 


CONSULTING EDITOR: Bill Kutik 
(bill@kutik.com) 


Copyright © 2005, CNET Networks, 
Inc. All rights reserved. No material in 
this publication may be reproduced 
without written permission; however, 
we gladly arrange for reprints, bulk 
orders or site licenses. Subscriptions 
cost $795 per year in the US, Canada 
and Mexico; $850 overseas. 


2 RELEASE 1.0 


that supports one-to-one (and occasionally -to-many) communi- 
cation and a profusion of powerful capabilities and applications 
dependent on mail, to say nothing of individuals’ freedom of 
speech. In the case of adware and spyware, the baby comprises a 
useful mechanism (advertising) for supporting various kinds of 
free content and software, along with behavioral profiling that lets a 
user get content relevant to (and occasionally competing with) 
what he is looking at and lets advertisers target their ads both to get 
higher returns and to avoid annoying consumers for whom the ads 
aren't relevant. This second group of benefits may not have quite 
the ring of individuals’ freedom of speech, but at its best it includes 
the notion of individual empowerment and is a fundamental part 
of the efficient economy promised by the Net. 


In both cases, if we can solve the hygiene problems, the tools in 
question enable individuals to decide precisely how much of each of 
those benefits (and the complementary trade-offs) they want. 
Ironically, for fear of confusing consumers, adware vendors have 
focused more on the free-software benefit, but the long-term value 
of their activity may well be the greater efficiency and relevancy of 
targeted ads for consumers as well as advertisers. That capability is 
likely to be widespread, which means that this market (whether 
$500 million or $2 billion; precise estimates vary!) is getting too big 
to stay so bad. All the commotion — lawsuits, legislation, the rise of 
the anti-spyware business — comes from the strain of its emergence 
into polite society. 


Below, we suggest how the adware vendors and their counterparts 
might be able to clear the air with a public education campaign. 
This would require (a la the accountable Net) collaboration among 
adware vendors, anti-spyware vendors (who would take note of the 
adware vendors’ participation in the messaging they give to con- 
sumers), advertisers (who would more closely monitor the behavior 
of the advertising vehicles they use), download sites such as CNET 
Networks’ own Download.com and Yahoo! and other sources of 
adware, online publishers who display adware vendors’ ads, and 
organizations such as the Center for Democracy and Technology, 
which is contemplating such a campaign. In addition, the anti-spy- 
ware vendors could implement a parental-control feature, which 


WWW.RELEASE1-0.COM 


might lock up another important source of adware — that which is wanted by chil- 
dren but not by their parents. 


Making distinctions 

Indeed, the issues are many and complex. Just like spam, spyware can’t be reliably 
identified simply by looking at it or its behavior. (Nor can it be easily defined; see 
below.) The simple question in both cases is: Did the recipient want it? 


The answers and remedies for spyware are different, however: In the case of spam, a 
user can delete unwanted mail (though he may be tricked by fraudulent offers and 
phishing). In the case of spyware, users may actually “ask” for (download) it, but 
without knowing what they are doing. And once they discover a problem, they may 
not know which piece of software caused it, or how to get rid of it. Anti-spyware — 
spyware-removal — tools may not work, or they may remove wanted programs and 
accompanying adware along with what the user would consider spyware if he could 
understand what is going on. 


Given the broad range of definitions in this area, we mostly use the term adware 
(also the term preferred by the vendors): software that sits on the user’s PC, watches 
the user’s behavior and uses that behavior to select ads (from an advertiser’s server) 
that at least sometimes are more relevant to that user’s concerns. (Some experts and 
spyware blockers who want to avoid litigation (for unjustified removal of another 
vendor’s software) call “bad” adware “potentially unwanted software,” or PUS. 
McAfee calls it PUPs, for potentially unwanted programs.) The adware typically is 
bundled with free software products such as games, file-sharing software or utilities 
such as icon cursors and weather maps; advertising revenues fund those products so 
the users can have them for “free.” The relationships among all these players are 
complex, as shown in the chart on page 13.) 


Thus, software and content providers get paid indirectly for the value they provide 
to consumers, receiving the money directly for installing the adware (or keeping it 
installed). The money gets into the system in the first place from advertisers, who 
budget it as the cost of the increased revenues they hope to earn because of more 
effectively targeted ads. 


Many people find traditional advertising annoying because it interrupts or interferes 


with the content it supports, but at least that way it’s clear what the advertising is 
doing (and who is getting paid for it). Adware, by contrast, doesn’t interfere with the 


APRIL 2005 RELEASE 1.0 


RELEASE 1.0 


content (or at least not with the adware-supported content). As 180solutions CEO 
Keith Smith points out, “We don’t annoy our customers by showing up in the mid- 
dle of their [online] game.” Instead, they and other adware vendors annoy their 
advertisers’ competitors, and the media whose content they obscure. And many 
adware vendors often annoy the adware users by showing too many pop-ups - often, 
despite claims of relevance, irrelevant ones. 


For their part, the anti-spyware forces lump most adware together with “spyware,” 
referring to the fact that it observes (at the least) user behavior in order to deliver 
contextual ads (based on where the user is at the moment) or even behaviorally tar- 
geted ads (based on past surfing behavior). 


Although definitions of spyware may vary, we believe the dividing line between 
adware and spyware is disclosure and the user’s informed consent. It’s not spying if 
the user consented to the proposition with enough information to make an 
informed decision. Users presumably install adware voluntarily in exchange for the 
products it supports. The adware becomes spyware when a user downloads it unwit- 
tingly as part of a package deal. Also, there’s knowing and there’s knowing. The user 
may agree to receive “relevant marketing offers.” Does she know she’s about to get 
hundreds of pop-ups obscuring the sites she wanted to visit, or altered, sponsored 
results when she searches on Google or other familiar services? And as with the 
downloading of porn — or the purchase of a cashmere sweater, for that matter — the 
user may download adware knowingly and regret it later; it becomes spyware if he 
tries to remove it and cannot. 


Whatever you call it, the software watches what you do and pushes relevant ads at 
you. Many of these ads are based upon the websites you viewed: For example, if you 
are looking at a DVD player at one online store, the adware may display a promo- 
tional message for a DVD player from another online merchant or manufacturer. 


From spying to invading 

Beyond spyware is malware, software that intentionally deceives and causes users 
harm — everything from keystroke-logging in order to support fraud, privacy inva- 
sions and other damage, to hijacking machines for sending out spam and other pur- 
poses. Some malware is installed “knowingly,” but only because the user is unaware of 
its true nature. Other malware is installed surreptitiously (the user clicks a disguised 
install button) or in a “drive-by download” through a security hole. One frequent 


WWW.RELEASE1-0.COM 


SPIES IN THE BAZAAR 


Imagine this. You're in a bazaar. As you enter 
each shop, the merchants look you over, watch what 
you're looking at and rush up to present you with their 
best offers. “You like the red scarf, madame? Imagine it 
with this lovely black leather jacket.” As you walk out of 
one cramped shop, you see the merchant taking notes, 
the better to greet you next time. 

When you return, he has a new selection ready. 
Pretty soon, you realize that he has been talking to the 
shoe merchant down the street. When you enter the shoe 
store, the shoe salesman is ready with shoes to match the 
jacket. As you leave, you are accosted by a street urchin: 
“Cheap shoes, lady! The store pays rent and has to charge 
you more. | can give you a better deal!” You brush him off 
but he persists: “For free, lady! Just let me follow you as 
you shop, and I can keep giving you better offers.” 

You acquiesce. What could be the harm in this? 
And the shoes are, well, they're okay. . .and they're free. 
The urchin follows you around, watching as you browse 
through the twisted streets and cramped boutiques. It 
makes you uneasy to have this kid watching you all the 
time, but never mind. When you complain, he offers to sing 
to you. ..and the music (copyrighted songs) is quite pleas- 
ant. As you shop at one shoe store, the urchin shows you 
shoes from a different merchant, who has paid him to do 
so. He tries to be unobtrusive; whenever they see him in 
public, the merchants shoo him away. One store-owner 
screams at him: “Go away! This customer belongs to me!" 
(But many of the merchants, in their back rooms, are mak- 
ing deals with those very same urchins, paying them to 
lure customers from one store to another.) 

Now more urchins show up, each with his own 
special deal. As they compete with one another, their 
behavior gets worse. The bazaar’'s alleys are getting 
crowded and it’s hard to keep track of all the people 
swirling around. Some urchins start following you without 
asking, and you can't tell one from the other. They foist 
tacky trinkets on you; others sneak up from behind and 
don't bother to give you anything at all. 

Everywhere you go, kids are tugging at your 
sleeve and jostling the others away, whispering “Miss! 


Miss! Look here! Special deal!” As the confusion grows, 
pickpockets reach into your wallet, stealing money and 
credit cards. The urchins start stealing from each other, 
too. Some of them put false fronts up in front of the real 
stores, and deceive you into buying from them instead of 
the merchants who paid the rent; others masquerade as 
salespeople in the larger stores and steal commissions. 
Adult criminals enter the scene, organizing the meanest of 
the urchins into criminal gangs. The merchants who hire 
urchins to do their dirty work shrug their shoulders and 
say they try hard to work only with good urchins. 

Finally, police and vigilantes show up and start 
arresting the urchins. Dragging the kids around by the col- 
lar, the “authorities” ask: “Arrest them all?” It's difficult to 
tell the vigilantes from the police, let alone the 
thieves/pickpockets from the once-innocent kids who 
gave you their names and asked your permission to follow 
you around. It's amess.... You leave, but the sneakiest of 
the urchins follow you home as you walk out. 

Unfortunately, the urchins who were polite enough 
to get your consent and who didn't follow you out of the 
bazaar are indistinguishable from the worst of the thieves 
and con artists. Some of the urchins vanish into the night 
to become permanent outlaws. Others promise to reform, 
but they won't empty their pockets. They wear ID badges 
by daylight, but every once in a while you glimpse them in 
an alleyway, without ID, behaving badly again. 

A couple make more credible efforts to go 
straight, donning large, legible badges. They want recogni- 
tion for their efforts, but most people find them hard to 
trust, let alone forgive. Even the best of the urchins - call 
them WhenU and Claria - face new challenges trying to 
differentiate themselves and competing with the regular 
merchants to win customers’ trust. Can they learn new 
habits and succeed? 

Re-envision the scenario above online, with web- 
sites and portals replacing the merchants, adware/spy- 
ware companies playing the urchins, and regulators and 
anti-spyware vendors playing the authorities, and you 
have a pretty accurate look at the world of adware/spy- 
ware and how it is evolving. 


mechanism for accidental installs is the ActiveX installation, a once useful automated 


installation capability that has earned a bad name through such misuse. (sEE PAGE 29.) 


APRIL 2005 


RELEASE 1.0 5 


RELEASE 1.0 


Adware can be used to collect affiliate commissions; malware can be used to steal 
affiliate commissions. In principle, affiliate commissions are a fine practice — a way 
for the long tail of people and small websites who recommend or endorse products 
to support themselves. If Christopher Locke’s blog, for example, drives you to 
Amazon to buy a book, he gets a commission. And if adware persuades people to 
make transactions at certain sites, that’s a reasonable way for the adware vendor to 
get paid. But stealing commissions is something else again: Suppose some spyware 
sneaks in there and grabs Locke’s commission, or manages to interpose itself 
between you and Amazon without even displaying itself, or recommending a site 
that you were going to visit anyway. . . . Well, that happens. Of course, the spyware 
vendors will tell you that was an error, or a trick committed by some third party it 
doesn’t control. But allegations of such behavior have been persistent, even against 
relatively large vendors such as Intermix, recently sued by New York State Attorney 
General Eliot Spitzer. 


Spyware or malware, once discovered, is hard to uninstall even for savvy users. First, 
the uninstall instructions may not be accessible, and the end-user license agreement 
(EULA) may permit the vendor to leave behind a cookie that enables the software to 
be reinstalled without the user’s consent or knowledge unless the user himself unin- 
stalled it according to the vendor’s instructions; that’s some adware vendors’ way of 
getting around anti-spyware legally. Or the software may reinstall itself without the 
nicety of a EULA clause. It may change file names, rewrite information on the user’s 
system — and perhaps delete the software of competing adware vendors. 


In any case, software deserves to be called “trickware” when it is installed or does 
things without the user’s knowledge or informed consent. As CEO Jeff McFadden of 
adware vendor Claria puts it, “The kind of people who write viruses have stolen our 
business model. We offer ad-supported software products. They promulgate ad-sup- 
ported viruses and malware.” Along with — or sometimes without — bundled soft- 
ware and pop-up ads, spyware can perform all kinds of mischief. 


The Roles 


Adware vendors 

Whereas advertising generally is communication from advertisers who have paid 
content providers to provide a medium for their ads, adware vendors offer a “medi- 
um-less” advertising platform; ads appear on a user’s machine without surrounding 


WWW.RELEASE1-0.COM 


content. The ads are often displayed in separate pop-up windows, independently of 
anything else on the user’s screen, and often in counterpoint to it — such as offers 
from competing websites. That is, adware is a package deal: the “free” stuff and the 
ads. There are exceptions: Some adware is actually wanted for the ads themselves. 
The toolbar from travel search engine Sidestep pops up offers from Orbitz when you 
visit Expedia, for example. 


The “spying” behavior of adware is what makes it interesting and — as long as it is 
done with the user’s informed consent - worthwhile. Precisely because the software 
knows something about the user, it can deliver better advertising — defined as adver- 
tising that is more relevant to the user, and therefore more likely to get results for the 
advertiser, pay the publisher who provided the free software or content, and presum- 
ably (because the consumer buys more) better inform the consumer about products 
he wants to purchase. The famous saying of retail merchant John Wanamaker that 
“Half of advertising is wasted, but I don’t know which half!” could lose its currency, 
because effectiveness can be measured with increasing granularity. That’s why this 
market is of intense interest to advertisers and all those who depend on them. Even 
consumers, who tend to dislike pop-ups but generally prefer ads that are relevant, 
will benefit — as long as they are engaged by choice and not by deception. 


Some companies, such as WhenU (pace 34), generally keep all personally identifi- 
able information (PII) about individual users client-side; the client runs rules 
(updated by the server) to decide which ads to display in real time based on what 
the user is doing (i.e. the URLs of sites she visits or the terms she types into a search 
engine). In the other model, exemplified by Claria (pace 24), the client sends click- 
stream data back to the server, which massages it to determine which ads to display 
— and potentially also to observe user behavior, whether aggregated or individual. 
This underlies market research into consumer behavior, ad effectiveness, behavioral 
profiling and the like. 


Note that the adware/spyware community is just part of the larger profiling and 
behavioral targeting industry. As Cory Treffiletti of Safecount.org, an advertising 
industry initiative dedicated to resolving some of these issues (including disputes 
around cookies), says: “[This issue] is important and affords the opportunity to set a 
precedent that could be used in other forms of media. In our current state, the issue 
surrounds cookies and online advertising, but as the issue expands it could poten- 
tially include the Personal People Meter [which will track overall media exposure by 
detecting signals embedded in television, radio and other media] and any other 
form of counting or measurement that is being considered in other media.” Adware 


APRIL 2005 


RELEASE 1.0 


A BRIEF HISTORY OF ADWARE 


The premise of this issue of Release 1.0 is that this mar- 
ket can evolve. To understand how we could move on, it's 
worth considering how we got here in the first place. 

Way back at the dawn of history, late in the last 
century, consumers were beginning to come online in large 
numbers. Yahoo! had just been founded; so had Excite, 
with money from Kleiner Perkins. Some websites were 
starting to use cookies; they enhanced the user experi- 
ence because a website could tell who you were, but some 
people thought of them as spyware. Suddenly the Web 
wasn't so anonymous anymore. Newbies who were used to 
being recognized on the street and in stores thought noth- 
ing of it, but some old-time Internet users considered 
cookies sneaky. . .which indeed they were. Most users were 
unaware of cookies - until they heard about them from 
people who considered them evil. 

In 1996 DoubleClick was founded, extending the 
idea of cookies for a single website to an advertising net- 
work that could recognize the user at multiple sites and 
build a profile. The profile was in theory anonymous, but if 
you could match a cookie to a website registration that 
includes name and other personally identifiable informa- 
tion, the anonymity could easily be broken. In July 2003, 
DoubleClick raised the ante by announcing the acquisition 
of Abacus, a database of offline personal data, which it 
planned to match with its cookie data. The resulting 
firestorm backfired on DoubleClick and at the same time 
aggravated the paranoia around user data. 

Meanwhile, online services and software develop- 
ers were experimenting with a variety of business models. 
Would users pay for services? More and more people con- 
cluded that they would not. Companies with content sold 
ads on their websites; other companies looked to adware 
to generate revenues from their software. 

In the late ‘90s, many advertisers started to 
become more picky about what they were buying online: “I 
don't care if they saw it; did they click on it?” They no 
longer believed in buying only brand awareness; they 
wanted to drive traffic to their own websites and to convert 
those visitors into paying customers. This new obsession 
with measurability was a key driver behind adware. 
Publishers, used to selling undifferentiated ad impressions, 
didn't necessarily welcome the increased accountability. 

By contrast, adware benefited from that focus on 
user action, and it was one more - often cheap - way to 
buy click-throughs. It also promised increased click- 
through rates through the increased relevance of the ads - 


8 RELEASE 1.0 


a promise not always delivered on, but an appealing notion 
nonetheless. Specifically, adware allows advertisers to 
target users visiting competing sites or looking at com- 
peting offers in a way simply not practical through tradi- 
tional publisher-placed ads. 

But as tracking capabilities become ever better 
and more widely implemented, the obvious next concern - 
particularly among direct marketers - is conversion rate: 
“| don't care if they clicked on it. Did they buy anything?” 
Publishers and adware vendors will say that people often 
click and then buy later, elsewhere, and there's a correla- 
tion between clicking and buying - but let's face it, the 
correlation is stronger for some people than for others, so 
why count clicks? 

In the future, adware vendors will increasingly be 
judged not just by numbers but by their audiences’ buying 
behavior. “Proper” marketers scorn spyware because, 
they claim, its base consists mostly of downloaders of 
games, “free” (ad-supported) software utilities and stolen 
music. They may well be right - in part. Anecdotal evi- 
dence suggests that much spyware is downloaded by kids 
onto parents’ machines, which accounts in part for the 
recurring cycles of installation and deinstallation. Even 
though the child may download the software purposely, of 
course, the parent uses the machine and presumably will 
click on the ads and perhaps purchase the products. But 
this is an inherently unstable situation: We expect the 
anti-spyware vendors to come up with parental locks 
sooner or later. 

Regardless, more accurate tracking will increase 
advertisers’ ability to determine which ad placements 
actually result in purchases. Such tracking - of purchases 
as well as clicks - may be the death of poor-quality adware 
that attracts only the less-desirable customers and adver- 
tisers. Adware vendors, publishers and ad networks will 
need to work hard to earn their keep by delivering the right 
audiences to advertisers, and the right ads to consumers. 
Meanwhile, consumers may be more ready to understand 
and accept profiling; the paranoia has shifted to identity 
theft even though the annoyance with pop-ups is high (and 
some identity thefts are enabled through spyware). 

Finally, the legal and market environment for 
adware/spyware is about to change dramatically. Starting 
a couple of years ago, anti-spyware has become a serious 
problem for adware (let alone spyware) vendors. Release 
1.0's sibling unit, Download.com, a leading download site 
for adware among other products and formerly a propo- 


WWW.RELEASE1-0.COM 


A BRIEF HISTORY OF ADWARE (CONT.) 


nent of user choice and disclosure, has just announced a Meanwhile, adware vendors are ready to talk and 
zero-tolerance policy, banning adware from its site. The many have announced changes to their practices, but anti- 
FTC held hearings on spyware a year ago, and Congress is spyware researchers are watching for continued infrac- 
working on anti-spyware legislation. And the Spitzer law- tions. ..and finding them. The result is a stalemate. . .ready 
suit is focusing the broader public's attention (including to be broken. 

that of advertisers) on the issues. Now read on.... 


is just one of an increasing number of mechanisms marketers will use as they seek 
more and more information about consumers — which is no problem as long as con- 
sumers agree willingly and knowingly. 


Pressures and opportunities 

It’s difficult to get a clear picture of the adware market. There is a real problem with 
spyware, even though the claims of the anti-spyware vendors are often exaggerated. 
Indeed, consumers are often pawns of vendors in either direction, and don’t under- 
stand the implications of either installation or removal of adware and spyware. But 
with better disclosure overall, the prospects for much adware in its current form 
with pop-ups (let alone for spyware) are under great pressure. 


Although the profitability of installed adware remains high for now, it is becoming 
harder and harder for the vendors to keep their installed bases installed; ironically, 
one way to do that is to serve fewer ads per day (and hope that your competition 
shows corresponding restraint! ). Although the early-adopter critics focused on spy- 
ware and profiling in their criticisms of adware, most users now (if asked in a neu- 
tral way) would likely focus on “popware” and “stickware” aspects: that ads pop up 
all over the place, and that some of the software sticks around even when you try to 
get rid of it. 


Users are becoming more sophisticated and less forgiving, especially of pop-ups. But 
if they are going to get ads, they'd appreciate getting more relevant ones — ironically, 
a point in favor of the spy/profiling capabilities of adware. Adware is just one form 
of the increasingly common bargain offered by everyone from Amazon.com to 
Google (Gmail), website publishers, ad networks and CNET Networks’ GameSpot: 
“Let us know more about you, and we'll deliver free content or services along with 
more relevant ads.” 


On the other hand, the pressure on the less-honest end of the business comes from 


increasingly effective anti-spyware tools deployed ever more broadly (perhaps even a 
default in some future Microsoft operating system) and better overall system securi- 


APRIL 2005 RELEASE 1.0 9 


10 


RELEASE 1.0 


ty such as Service Pack 2 for Windows XP. These tools limit the ability of “installers” 
to install software through security holes and outright deception, and they make 
after-the-fact detection and removal easier. That will reduce the clutter on many 
users’ machines and make them less hostile to adware in general and (because of 
reduced messaging) likely more receptive to the ads that they do see. 


The adware players we cover in this issue — good or professing to be good — all sup- 
port legislation that would clarify the line between good and bad practices. The real- 
ity is that if they don’t fully clean up and adopt new, transparent business practices, 
they will have to drop further under the radar and will become fair game for anti- 
spyware tools and crusading prosecutors. Meanwhile, the last thing the good ones 
want is to compete with and be confused with the worst of the spyware vendors. 
They may find it tough to live up to the new standards, but we believe that their sup- 
port is sincere. 


The anti-spyware forces 

On the anti-spyware (ASW) front, there are good and bad guys, too. . though the 
balance is different! The pure plays include Webroot, PC Pitstop, PCTools, Lavasoft 
and others; anti-virus companies McAfee and Symantec have now added anti-spy- 
ware to their line-up. And Microsoft is offering its anti-spyware beta for free; it’s a 
slightly retooled version of the Giant Software product it acquired in November, and 
has been downloaded more than 13 million times. Microsoft in particular pays a 
huge price in support costs for the existence in spyware, which is one reason it is 
happy to give the software away for free. (The other ASW vendors are less happy 
about that!) The good guys provide a transparent service — informing users about 
potentially unwanted software on their machines and removing what the user desig- 
nates as unwanted. And, like the adware vendors, they have improved lately. Newer 
versions of most products list the adware/spyware in a way that users can under- 
stand —i.e. by product/vendor names, rather than as a list of files. 


Anti-spyware tools are a key part of the accountable Net — tools that give users the 
power to protect themselves from threats on the Net. 


But sometimes the cure also seems to be a disease. The anti-spyware vendors’ 
defaults initiate the conversation, and they are a key irritant to many adware vendors 
trying to improve their practices. Many ASW vendors won't publish specific criteria 
for how they define threats, to the dismay of their targets. Also, some software (and 
market surveys) include cookies, tracking services such as Alexa and most toolbars 


WWW.RELEASE1-0.COM 


as potentially unwanted software, allowing them to claim the spyware problem is 
worse than it actually is — which is bad enough. 


Anti-spyware vendors also have a range of motivations. Some are driven by anti- 
adware or even anti-marketing zealotry, as well as by the natural desire to make a 
profit. One way to do so is to scare end-users, labeling everything they consider sus- 
pect as a threat and trashing software that the user might not want removed. Some, of 
course, are also in the pop-up advertising business themselves. AOL's new SpyZapper 
(from Aluria), for example, typically delivers a message to users of Claria’s Gator 
eWallet (Pace 24) each time they log on, warning them that they have “GAIN 
(Adware)” installed, not mentioning “Gator eWallet” specifically. (It’s that brand pro- 
liferation problem coming home to roost; see page 15.) SpyZapper pre-checks a box 
for consumers to “block selected” and another for “block permanently” — that is, 
uninstall it — suggesting that it “may cause connection problems, performance issues, 


security risks, or otherwise interfere with your AOL online experience.” No wonder 
users ask to have it blocked! 


AOL asserts that the blocking is not permanent. . .but Claria’s McFadden says that 
many users write to Claria asking for restoration of their login ID and password files 
— whether or not the data is lost permanently. “It’s our number-one support prob- 
lem right now,” he adds. But Claria cannot help: In accordance with what most peo- 
ple would consider proper privacy policies, the data are stored on each user’s 
machine; Claria does not have that information. McFadden also says that AOL refus- 
es to back up its claims of connection problems, performance issues, and the like, 
which he believes are incorrect and inflammatory. 


There are also spyware and malware vendors who masquerade as anti-spyware ven- 
dors and prey on users’ worst fears only to make them real (just like the phishers 
who write that “your account may be compromised”). 


In the long run, we expect anti-spyware tools to continue to play an important role 
in the accountable Net. In the meantime, some more interaction between them and 
the adware community would be helpful. In particular, the adware vendors need to 
communicate about their products more effectively and adopt standard naming 
conventions. ..and the ASW vendors have to listen. 


APRIL 2005 


RELEASE 1.0 


11 


Consumers in control? 

On the other axis from what the software does is the issue of consumer control. Did 
the user want the software in the first place? As with a credit card bill, perhaps not. 
But did the user want the software or service the adware is paying for — and was the 
consumer aware of the bargain? Did the consumer truly understand the proposition 
and what the software may be doing in order to show those “exciting offers from our 
carefully screened partners”? Were the payment and the promise properly linked, or 
was it a case of treat and trick? 


That’s a pretty simple issue (though hard to resolve in practice), but it keeps getting 
lost in discussions about EULAs. In the past, EULAs provided some legal safe harbor 
for spyware vendors: You could point to the fact that a user had somehow clicked “I 
agree” to an extensive set of terms that included the ability to install software on her 
machine, remove other vendors’ software, collect and reuse data, and so forth. “They 
told us we needed to disclose everything, so we wrote a 6200-word EULA,” com- 
plains Claria chief marketing officer Scott Eagle rhetorically. “Then they told us it 
was too long, so we made it 3600 words. Just tell us, and we'll do what you want!” 


New legislation may soon tell them — and their competitors. It has become painfully 
obvious that no one reads EULAs, and several bills in Congress (see PAGE 16) are 
heading towards precise standards for full and fair (and brief) disclosure for legiti- 
mate adware. Meanwhile, Spitzer has put the industry on notice (in the Intermix 
lawsuit, page 6) that he intends to prosecute practices that are standard in the indus- 
try, making little distinction between spyware and adware. He may not win, but this 
suit is a landmark nonetheless. 


Meanwhile, reasonableness and informed consent are not that hard to test for, 
although it requires some kind of moral compass to put yourself in the seat of an 
unsuspecting consumer. (If you don’t have such a moral compass, then you had best 
err on the side of clarity.) 


On a meta level, moreover, transparency makes things easier for everyone. User feed- 
back — uninstall rates, support calls and, yes, click-through rates — can provide guid- 
ance for those who shouldn't be trusting their own judgment about user satisfaction. 
In a transparent market, goodness is a value; in a shady market, it is only a cost. 


12 RELEASE 1.0 WWW.RELEASE1-0.COM 


Advertisers: Where the money comes from 


Another part of the ecosystem is the purchasers — advertisers who buy impressions 


or click-throughs. Many “reputable” advertisers use adware (SEE INFO BOXES FOR EACH 


COMPANY, BELOW). The advertisers are responsible for how the money they spend 
online is used, but they don’t always fulfill that responsibility. Most of them will tell 


you that they buy adware clicks 
through third parties who pledge to 
operate honorably; some of those 
third parties do operate honorably, 
and many don't. The clauses in their 
contracts forbid a variety of prac- 
tices — but those contracts are prob- 
ably as meaningful in practice as are 
the EULAs that end-users ignore. 


The relationships among all the 
players in this market are complex 
and hard to discern. Advertisers who 
won't place their ads on porn sites 
may nonetheless support porn con- 
tent indirectly — some might say 
negligently — by paying adware ven- 
dors that use porn sites as installa- 
tion partners and advertising 
venues. Likewise, advertisers such as 
music and movie companies who 
would never support P2P filesharing 
programs nonetheless sometimes 
pay adware vendors who in turn pay 
P2P providers. Those are additional 
factors that besmirch the whole sec- 
tor in many people’s eyes. 


Also, many adware advertisers are 
direct marketers who are more 
worried about moving product 
than gaining or protecting a good 


The Adware Business Model (In Practice) 


Product/Service Vendors 
Website Owners 
Large Adware Vendors n 
| Large Software Makers —* End Users 
(= Adware Vendors 
Small Software Makers 
Advertising Brokers 


The Adware Business Model: A Real World Example 
Product/Service Vendors 


CheapTickets.com, Expedia.com, 1-800-Flowers, etc. 


Website Owners 
Seismic Media Kings of Chaos 


oS 


Large Aoftware Makers End Users 


ia 


Small i re Vendors 


indset Interactive 


Small Software Makers 


24/7 RealMedia 
Advertising Brokers 


Do you know where your ads are? 
Charts courtesy Ari Schwartz, Center for Democracy and Technology. 


reputation. But again, with more transparency, users may start becoming more con- 


scious of who is ultimately funding all those pop-ups. 


APRIL 2005 


RELEASE 1.0 


13 


14 


RELEASE 1.0 


In short, the money does not get lost; the chain can be followed back. That money 
chain is why, in the end, spyware may be somewhat easier to eradicate than actual 
malware: There’s some action by some user that triggers a payment to someone who 
can be held responsible. CDT is planning to start working with advertisers to make 
them more aware of this issue, and of their responsibility for the actions of their 
agents (however indirect) in placing and delivering ads. 


Download sites 

Where do users get their adware? A lot of it comes from the major software 
providers’ own sites, such as KaZaA.com and Morpheus.com. Aside from those 
direct sources, there are popular download and game sites, which work with the 
bundling software vendors (as opposed to the adware vendors whose software is 
bundled) to rank the programs, provide related products and generally form part of 
the ecosystem. Finally, the software vendors place ads both through Yahoo! Overture 
and Google’s AdWords, as well as through ad networks such as AOL's 
Advertising.com. 


No examination of adware would be complete without mention of Release 1.0 sib- 
ling Download.com, formerly one of the leading sites for downloads of adware-sup- 
ported bundles (along with many other products). Download.com has just 
instituted a sitewide ban on any software downloads containing adware. 


Download makes money both for hosting software and managing downloads for 
vendors, and for ads nearby. Adware-sponsored programs regularly made its Most 
Popular list. Many software publishers route their downloads from their own web- 
sites through Download.com to get counted towards their official tally on 
Download.com’s Most Popular list — a benefit to Download.com, which generates 
additional page views, and to the software publishers, who gain greater visibility and 
prominence for their products. 


Nonetheless, Download played an exemplary role in the business, vetting the prod- 
ucts it hosted, publishing critical reviews along with praise and, most importantly, 
providing far more disclosure about practices and consequences than most of the 
vendors did themselves. 


Nonetheless, says CNET Networks senior VP Scott Arpajian, “We listen carefully to 
our users, and they have been loud and clear on this issue. They see little difference 


WWW.RELEASE1-0.COM 


between spyware and adware. In their opinion, anything that comes bundled with 
other products is not welcome on their computers.” 


We assume that Download.com is forgoing considerable revenue from this stand, 
and we personally are disappointed that it considers its action necessary, given the 
site’s policies on disclosure. We believe that as one of the software industry’s leading 
download sites with more than 75 million downloads by tens of millions unique 
users per month, Download.com could continue to play a constructive role by edu- 
cating consumers about how adware works and by recommending well-behaved 
products. We hope the market changes to the point that Downlaod.com feels com- 
fortable once again accepting and assessing individual adware products. That’s one 
reason we are suggesting the test below (Pace 17). 


The State of Play 


The adware concept might be acceptable to people who trust the adware companies, 
but at this point very few people do. Adware has a definite perception problem, 
caused or at least exacerbated by some significant part of the market that has actual 
behavior problems: fooling people into installing their software, not identifying their 
ads, showing little restraint in how many ads they show and making it difficult if not 
impossible for most people to uninstall their software, not to mention the even 
worse behavior we describe above. To make matters worse, in many cases the sup- 
posedly legitimate players adopted some of the less honest practices, just to keep up. 
The bad behavior of some adware companies is now coloring public perceptions of 
both spyware and legitimate adware. 


The better players are tarnished by the actions of the worst ones — and because most 
participants have kept a low profile, they failed to distinguish themselves from the 
worst actors. In many ways Claria takes the worst of the rap precisely because it has 
been relatively transparent and is the most visible. For example, although Claria has 
always branded its ads, it changed its name from Gator to Claria, and that, for people 
looking for something suspicious, was enough to heighten the mistrust. It also ini- 
tially avoided mentioning pop-ups, and certainly some users ended up surprised at 
what they had downloaded. (see pace 24.) In the end, you can tell that Claria's bills 
are paid by advertisers, not by consumers. And finally, some people despise advertis- 
ing itself, and some have greater desires for privacy than others. 


APRIL 2005 RELEASE 1.0 


15 


16 


RELEASE 1.0 


As a result, users familiar with adware/spyware are often hostile to the proliferating 
pop-ups, and few people trust vendors’ current protestations about how they oper- 
ate, including how they treat user data. Moreover, what they could do with the data 
they collect, either purposely or carelessly, is enough to give anyone pause. It will 
take some time for even the best of them to earn broad consumer trust — and to dif- 
ferentiate themselves from the worst of them. 


For a host of reasons, including a natural desire to avoid self-incrimination, adware 
vendors all stress that they have done nothing illegal. . .but they have changed or are 
changing their policies and practices to adapt to expected new legislation. 


Business and legal realities being what they are, apologies are probably not in order. 
Some people may never forgive adware vendors without hearing a proper expression 
of remorse; others may never forgive them no matter what. But they might gain a lot 
of credibility — and assurances of a mostly satisfied customer base — by going 
through a one-time re-opt-in process across their user bases (SEE Box NEXT PAGE). It 
may well be that users elect to receive those pop-up ads. . .but many adware vendors 
seem to be scared to find out. 


Legislation: Making distinctions matter 

The level of deception and bad practices in this market has been so high legislation is 
more appropriate than in the case of spam. The potential harms are greater; the 
damage is not simply in spyware being unwanted, but in what it does. Spammers 
(not phishers) may ignore the law but most are not intentionally harming anyone; 
by definition, spyware vendors at best show disregard for their victims, and a few 
laws may help to clarify right and wrong. Clear legislation could also protect adware 
vendors who do follow the law from the depredations of over-zealous anti-spyware 
vendors, who sometimes remove software with the same disregard for users’ wishes 
that spyware installers display. 


Meanwhile, Eliot Spitzer’s lawsuit against Intermix will be closely watched; if it suc- 
ceeds, spyware vendors need to be concerned for their past sins. If Intermix wriggles 
out of Spitzer’s net, it and its counterparts know that new legislation will nonethe- 
less soon make once-permitted tactics unlawful. 


There are major initiatives currently in both the House and the Senate. It seems like- 
ly that the House will pass legislation in the next month or two (as it did last year). 


WWW.RELEASE1-0.COM 


TAKING THE TEST 


One of our goals in publishing this newsletter is to foster 
some communication between adware and anti-spyware 
communities. Both sides demonize the other, and a non- 
productive stalemate prevails. The anti-spyware forces 
note that even the vendors who have cleaned up are still 
reaping benefits from past misdeeds. Although the churn 
rate for most downloads (spyware or not) is high, some 
subset of the installed base is people who simply can't fig- 
ure out how to remove the stuff. So we decided to ask the 
following question of the adware vendors covered in this 
issue. (We expect to see the question refined; we encour- 
age feedback.) Presumably, this would not give anyone a 
free pass, but it would remove one of the obstacles to con- 
structive engagement. 

“Would you consider going through a public, audit- 
ed process where you (and your competitors) sent a series 
of two or three messages to each PC in your installed base 
older than, say, six months old? In return, you would get 
indemnity for past unwanted installs (but not any harmful 
consequences thereof) and a clean slate going forward. (Of 
course, no one can outside the government can guarantee 
indemnity; some sort of endorsement by the FTC might 
help.) The message (standardized across vendors) would 
remind users of your existence, explain the purpose of the 
software, list what programs it supports, and ask the user 
to re-opt in or to uninstall the software. Users who ignored 
three such messages would be taken out of the system if 
possible (though it might also be invasive to uninstall the 
adware and sponsored programs automatically), would 
receive no more ads and would be sent periodic reminders 
to reactivate the sponsored programs. How often should 
the reminders be? That's up to the vendor.” How to accom- 
plish this technically and in a way that would raise public 
awareness should be fruitful topics for discussion. 

We let the vendors speak for themselves. The 
responses are hardly ringing endorsements, but they may 
be enough to move the idea forward: 


Bill Day of WhenU: 

We are committed to providing a valuable solution 
for consumers. As such, we would be very willing to 
remind the customer that our product is installed on their 
computer, its function and how to uninstall it. In fact, we 
currently send a large format message to new Save! users 
after they install, telling them more about the product and 
also giving them an uninstall opportunity. We are even 
considering doing this regularly as an education series. 
But it’s also time for anti-spyware vendors to gain some 


credibility in the process as well. We would like them to 
give us an indication that this effort would matter to them, 
regarding how they classify our products. There's a bal- 
ance required from both sides here. 


Jeff McFadden of Claria: 

Informed consent should be required for both 
installation of ad-supported software by companies like 
Claria, as well as removal of these software products by 
the anti-spyware tools. If both sides could agree on the 
rules of the road for installation and removal, | could con- 
sider taking remedial steps to deal with installations or 
removals that don't meet the newly defined rules. While 
it's hard to measure the impact, the anti-spyware vendors 
are certainly doing harm when they remove our software 
without the consumer's informed consent, and we'd like to 
see some of our programs restored. 


Joshua Abram of DirectRevenue: 

We would be very interested in participating in 
discussions which seriously explored ideas such as this. It 
makes enormous sense to launch industrywide procedures 
which seek to further enhance transparency by clarifying 
the rules of the road among the three relevant constituen- 
cies: consumers, the major contextual marketing compa- 
nies such as DR, and the anti-spyware vendors. Certainly 
using our own media to message consumers with some 
kind of public service message could - and should - be part 
of this process. 


Keith Smith of 18Osolutions: 

It is paramount to 180solutions that every single 
consumer be provided with clear notice of the fact that 
they are accepting free stuff in exchange for some adver- 
tising. Our policy is 100 percent notice and consent, period. 
No exceptions. In the past 180 has periodically suffered 
from rogue distributors who have not lived up to this com- 
mitment and in limited instances have performed a “silent 
install” of our software. While 180 was in no way involved 
with these silent installs, we take on the full responsibility 
to police our distributors and enforce our Code of Conduct. 
We have gone to great lengths to identify users who may 
have received a silent install and terminate our software on 
those computers. It is, however, possible that some silent 
installs have not been terminated. In order to ensure that 
all older users get a second chance to confirm their intent 
to continue to use our software and get access to free stuff 
in exchange for viewing ads - we would be willing to re- 
prompt all users over a certain age to confirm. 


APRIL 2005 


RELEASE 1.0 17 


Then the challenge will be to reconcile that with the Senate initiatives to produce 
something that can be passed in both chambers and enacted. 


e In the House of Representatives: The Securely Protect Yourself Against 
Cyber Trespass Act (SPYACT) passed the full House last year as HR2929 
and has been reintroduced this year as HR29 by Representatives Mary 
Bono (R-CA), Cliff Stearns (R-FL) and Joe Barton (R-TX). The bill pro- 
hibits deceptive installations of software and requires conspicuous notice 
and affirmative consent for software that has “information collection” 
functions. Violations are punishable by fines of up to $3 million. This bill 
is likely to pass the House again this spring. 


e Another House bill, the Internet Spyware (I-SPY) Prevention Act would 
establish prison sentences of up to five years for some spyware-related 
crimes. This bill passed the House unanimously last year and was reintro- 
duced by Representatives Bob Goodlatte (R-VA), Zoe Lofgren (D-CA), 
and Lamar Smith (R-TX) in February. Most recently, a controversial clause 
was added that would give anti-spyware vendors broad “good Samaritan” 
immunity for almost any action against alleged spyware, but it should be 
resolved with more specific language. 


e In the Senate: The SPY BLOCK Act is a revised version of legislation 
introduced last year under the same name; it was reintroduced in March 
by its originators, Senators Conrad Burns (R-MT), Barbara Boxer (D-CA) 
and Ron Wyden (D-OR). It would prohibit covert installation of software, 
software that thwarts users’ attempts to remove it, software that includes 
“surreptitious information collection functions,’ adware that conceals its 
operation and a range of other deceptive practices involving spyware. 


e Senator George Allen (R-VA) has also been discussing introducing a bill 
that would prohibit bad acts but would not contain an explicit notice pro- 
vision for information collection or ad placement. The SPY BLOCK Act 
would be easier to reconcile with House initiatives than the Allen legisla- 
tion, says CDT’s Schwartz. 


The proposed legislation is not without its detractors from both sides, however — 
which probably means that it’s reasonably balanced. 


18 RELEASE 1.0 WWW.RELEASE1-0.COM 


The Senate bill is more general in how notice to consumers should be given and 
gives more of a role to state attorneys general. “Some would argue, of course, that 
providing more incentive to local crusaders such as New York’s Eliot Spitzer will 
move things forward. Others are concerned that state AGs have enough consumer 
protection power over these issues as is, and that providing them more tools will 
only encourage grandstanding over enforcement,” says Schwartz. 


Neither of last year’s bills made it into law, but there is greater urgency this year, and 
it is likely that something will pass both the House and Senate before October. 


If legislation does not pass, the clean adware business will have difficulty differenti- 
ating itself (or emerging) from the spyware cesspool, and inconsistent state laws are 
likely to keep things confusing for all parties — consumers, adware vendors, ASW 
vendors and law enforcement alike. 


Hold tightly to the hand of nurse, for fear finding something worse 

All four companies profiled here say they support Congressional legislation, 
although the more prescriptive bills (such as HR29) would require serious and pre- 
cise changes to distribution and removal processes for all but perhaps WhenU, 
which currently requires separate disclosure screens for all its bundling partners and 
has been rolling out co-branding on its advertisements. Among other things, Claria 
would have to modify its GAIN AdServer to be included in the Windows 
add/remove menu, which it currently plans to do, and DirectRevenue would likewise 
have to offer uninstall capabilities directly through add/remove. More significantly, 
the slip-ups that researchers continue to find would no longer be mere breaches of 
vendors’ policies; they would be illegal acts. 


In fact, adware vendors’ own business models increasingly would be threatened by 
the worse actions of their more aggressive competitors and spyware purveyors. 


Although vendors may fear regulation, they fear unregulated competition even 
more. Some may question these companies’ altruism, but no one need question their 
business sense: In the long run, they will do better in a market where users can dis- 
tinguish between them and less scrupulous competitors. For anyone showing ads, 
fewer competing ads is better, after all. Thus, Claria and WhenU have both worked 
reasonably closely with the FTC and with groups such as the Center for Democracy 
and Technology on defining acceptable practices. However, CDT is currently more 
focused on rallying advertisers to demand more accountability from adware ven- 


APRIL 2005 RELEASE 1.0 


19 


20 


RELEASE 1.0 


dors, and working with the anti-spyware vendors to develop standard definitions for 
various adware and spyware practices. 


Other initiatives 

Also last spring, the Federal Trade Commission held a workshop on spyware, attend- 
ed by most of the major players. (SEE RESOURCES, PAGE 49, FOR A LINK TO THE REPORT.) The 
goal of the workshop — not quite achieved — was to define spyware, so that anti-spy- 
ware vendors could do their job without fear of litigation. The report was issued in 
March, and it provides useful background, but not much has happened since. 


Another initiative aimed at setting standards for adware, COAST, for Coalition Of 
Anti-Spyware Technology vendors, recently folded. Begun by a group of leading 
ASW vendors, it developed an accreditation program and accepted 180solutions as a 
member, but things fell apart in disagreements soon thereafter. Some members 
questioned 180solutions’ sincerity; others regarded its entry as the beginning of an 
unfortunate trend as other adware vendors began to apply for membership. 


The Market and the Players 


Right now, the problem with the adware market is not profitability but size; the mar- 
ket seems to have stalled at about $500 million annually — or perhaps there is 
growth, but only at the low, seamy end. (Anti-spyware vendor Webroot estimates the 
entire market at $2.86 billion, but most observers consider that too high; this very 
uncertainty says a lot about what kind of market it is!) As adware companies engage 
on the broader stage — emerging from their market niche into the broader $10-bil- 
lion-and-booming overall online advertising market — they will face new competi- 
tion (from other data-miners and targeting services as well as from traditional 
advertising networks) and new questions. 


In short, adware companies are under legal and financial pressure, and all of the 
bigger players are going through midlife crises. All four companies we cover here 
have raised money from “respectable” venture capitalists; three did so in the in the 
last year or two, while Claria raised $60 million in 1999 and 2000 from USVP, 
Greylock, Technology Crossover Ventures, Investor Growth Capital and Crosslink 
Capital. . though it pulled an IPO last year. As is usual in such an emerging-from- 
the-dark market, the companies genuinely trying to be good want clear rules so that 


WWW.RELEASE1-0.COM 


SCORE CARD (in millions except employee count) 


Company installed base trend 2003 2004 2005 people 
(approx) revs revs revs (e) 
Claria/Gain (1998) 40 D 90.5 n/a n/a 250 
180solutions (1999) 20 F 19.5 50 >50 250 
WhenU (2000) 12 D n/a 50 down 70 
DirectRevenue (2003) 12 D n/a 50 n/a 120 


Trend: installed bases trending Up, Flat or Down 
n/a = not available. 


REPORT CARD 
We have also assembled a report card outlining the companies' various disclosure, (un) installa- 
tion and other practices. Because this market is constantly changing (and mostly improving), 
we have posted it on our website 
http://www.release1-0.com/freshproduce/article.cfm?serialnum=PCFO000 


and plan to update it from time to time. However, we quote the current mid-term teacher's 
comments below: 


Claria: Needs to find new friends 

WhenU: Most improved (new CEO) 

180solutions: Needs to learn to accept responsibility 

DirectRevenue: Incomplete; Promising, but has not yet finished assignments 


competitive pressures can’t tempt them to be “bad.” You could argue that they 
should be good just for its own sake, but clear expectations can help the good guys 
stand up to pressures from investors, advertisers or even just the reality of short- 
term numbers. And finally, good companies cannot compete with bad ones in a 
market in which they are treated the same by legislators, the legal system, anti-spy- 
ware vendors. . .and, of course, the press. 


Our examination of the companies covered below should not be construed as an 
attempt at an investigative report. For such information, we refer you to Ben 
Edelman’s extensive website, which overflows with tales of misdeeds and lame 
responses; such exposure is valuable and pushes reform. Other such sources are list- 
ed in the Resources section, page 49. Here, however, we are more focused on making 
fine distinctions, encouraging best practices and understanding the ecosystem of 
this market to show how it can be improved. 


APRIL 2005 RELEASE 1.0 


WHAT IS INFORMED CONSENT? 


Though the adware companies claim that they have 
improved their practices and that many users love their 
software, the rapid growth of the anti-spyware market 
proves that many other users hate it. . .or cannot make up 
their minds. . .or are too scared/suspicious/unsure of their 
options to make an informed choice. Even though (or 
because?) the claims of the anti-spyware vendors are 
often inflated, users do purchase their products (just as 
they continue to download adware-supported products). 

A recent study by AOL suggests that consumers 
aren't aware of most of what's on their machines, let alone 
of stuff that got there surreptitiously. Its numbers show 
80 percent of users had “spyware” on their computers, 
though only 53 percent knew about it. One could argue 
that it wasn't spyware if they knew about it, unless it was 
spyware that they wanted to remove but didn't know how 
to. AOL's report doesn't get into such niceties. There are 
lots of ways to pick holes in this study, and most adware 
vendors will do so. (For one, it counts Alexa as spyware.) 

But they can't help but be disturbed by a second 
set of numbers, also from AOL. AOL has recently started 
rolling out an anti-spyware service called SpyZapper. 
Currently, it looks for what AOL calls the top spyware 
software - Claria/GAIN, including Gator's eWallet, ezula, 
TVMBO, the Diablo key logger and what AOL's VP of 
integrity assurance Jules Polonetsky calls “two nefarious 
criminal-type applications.” More than 95 percent of 
users who are informed of the presence of these pro- 
grams ask to have them uninstalled, says Polonetsky. 
Whatever the reasons (and whatever messaging 
SpyZapper sends), that is scary news for the adware ven- 
dors concerned. Whether it's their own fault or not, they 
have a problem. It may be their software, or it may be the 
anti-spyware, but it needs resolution. 

On the other hand, adware is frequently rein- 
stalled by the user. For example, Claria relies on the KaZaA 
file-sharing software for an important share of its GAIN 
software downloads and has an edge with this extremely 
attractive offering (which music vendors, of course, con- 
sider to be an even worse scourge than spyware). 

Indeed, people often change their minds: The 
backs of closets and attics, the array of new clothes in sec- 
ond-hand clothing stores, the 9-percent average return 
rates at retail stores, as well as the refund policies of many 
service providers, bear testimony to that fact. (So does the 
first- year divorce rate - at about 3 percent of first mar- 


riages.) Note too that about 9 percent of the retail returns 
(or 1 percent of sales) are estimated to be fraudulent. 

It's also true that there's a range of consumer 
manipulation possible around the install/uninstall process 
(SEE ERIC JOHNSON IN RELEASE 1.0, MARCH 2004): Simply 
leaving a box ticked or unticked on a form changes 
response rates dramatically. 

So what is fair? First of all, clear disclosure, and 
clear identification of any ads or other behavior with the 
organization behind it. Clear instructions - in relevant vir- 
tual locations - for uninstall instructions, consumer com- 
plaints and the like. WhenU has now put a toll-free 800 
number onto its website and on many ads. Claria also 
offers 800-number support. Also fair: No clauses that say 
that third parties can't uninstall the software - as long as 
they have the user's permission and they uninstall the 
supported products as well. 

A number of organizations are working on specs 
for consumer messaging, and are continuing to refine their 
own. WhenU has gone ahead and is now using its own clear 
language with BearShare, its counterpart to KaZaA. Claria 
has been refining its disclosures for four years now, even 
as users’ understanding of the bargain they are making 
also continues to evolve. Claria insisted on disclosure of 
its own software as part of its deal with KaZaA, but KaZaA 
continues to distribute (sometimes along with the GAIN 
Adserver) adware tools that are not so punctilious. 

180solutions is moving most of its new activity to 
Zango, a branded game and humor site, which also has 
clear messaging. However, there's a residual installed base 
of 180 software that keeps getting reinstalled without 
notice or consent, spyware researchers claim, and also 
third parties who continue to install older versions of the 
software. Those problems are being cleaned up, 180 
insists, but researchers continue to find new misdeeds, 
including installations with no notice or consent at all. 
Likewise, DirectRevenue says it is cleaning up its chan- 
nels, but has not finished the job. 


Part of a broader pattern 

One more point about consumer awareness: It's 
not a static thing. Adware was originally called spyware not 
because of its install practices but because it spies on peo- 
ple. For example, many people then and some now consider 
cookies to be spyware. But public expectations and aware- 
ness have changed. Most people know by now that the 


22 RELEASE 1.0 


WWW.RELEASE1-0.COM 


WHAT IS INFORMED CONSENT? (CONT.) 


websites they visit keep track of them - especially if they 
have registered and even if they have not. Is this practice 
deceptive? Some users regularly clear their cookies. . .yet 
they continue to visit the sites. In the same way, perhaps, 
users regularly uninstall and reinstall adware. 

Consider this: You are surveilled daily by multiple 
cameras; your movements are tracked in public. You may 
or may not know about it...and yes, some people still 
object vigorously, though most do not. In the same way, 
nowadays, most people are resigned to the notion that 
they are tracked at most sites they visit online - by that 
site. But they still do not expect to have a camera semi- 
permanently clipped onto their clothing when they buy 
something, which is closer to what adware does. (The same 
paranoia/concern surrounds RFID.) By contrast, cookies 
are like cameras located in the store; they don't follow you 
when you go somewhere else. Ad networks’ cookies, how- 
ever, are somewhat in-between. They “activate” only when 
you visit certain places - or receive ads from ad networks 


Software operates locally and requests ads. Ads appear with content 


or applications they support. 


Software collects data and sends it to server. (How is data used?) 


Software collects PII data and sends it to server? (How is data used?) 


Software takes over machine, changes settings, home page, etc. 
(could be okay if done by corp IT and user is aware of it) 


Software mimics affiliate sites, etc. 


Software used to commit fraud or attack user's machine or other 
machines. 


that you may not necessarily be aware of. 

And then there's the question of informed con- 
sent. How sophisticated should we expect consumers to 
be? If you look at the prices of items on store shelves, is it 
deceptive for the store to charge you sales tax when you 
check out? What about a restaurant, which informs you 
about the tax only after you have eaten the food? 

There's no single answer, and attitudes vary. But 
with better disclosure, we're allowing those attitudes to 
express themselves more clearly, and for companies to 
differentiate themselves on the basis of how they cater to 
those attitudes. 

However, disclosure doesn’t always work. 
Although some people are unhappy that anti-spyware 
removes too many programs too quickly, says Richard 
Stiennon of Webroot, “All the studies we do with our end- 
users show that they want us to stop giving them so much 
information. They don't want a long list of options and 
details; they just what the problem to go away.” 


—— IOl 


User asks for software User asks for software 
knowingly and likes it. 


by what he gets. 


APRIL 2005 


“knowingly,” but is surprised 


Software is hard to User tricked into Software 
remove/keeps reappearing. asking for software. installed 
drive-by. 


RELEASE 1.0 23 


24 


RELEASE 1.0 


Specifically, we look at some of the adware vendors, and put this five-year-old indus- 
try in context. We cover the spyware form of adware, but we do not cover other 
forms of what some might call spyware, such as employer monitoring tools, 
researchware such as Comscore’s anonymous user behavior surveys for market 
research, context-sensitive sponsored e-mail (e.g. Gmail) or Trojans and other mal- 
ware — or Web publishers’ and ad networks’ cookies, for that matter. We lay out the 
economics of the business and the incentives for change. 


The real key to cleaning up spyware and giving adware back its good name is to get 
enough transparency into the market so that consumer satisfaction rather than 
deceptive installation becomes the key to success. It may be that some of the current 
players do not have the inherent skills to satisfy consumers; they will not succeed. At 
the other end of the curve, sleazeball players will no doubt continue to exist — as they 
do in any market — but technology fixes (plus somewhat more wary and informed 
consumers using them) will keep most of the malware at bay. This report is an 
attempt at fostering such transparency. 


Claria: . . .the company it keeps 

The story begins 

In the mid-‘90s, when the Internet was just beginning to catch consumers’ attention, 
Jeff McFadden, VP business development of Excite, began work on a new “behav- 
ioral marketing” project, called Thunderbird Networks. In 1997, when Excite chose 
not to fund the project, he left and founded Gator Corporation a year later to pursue 
his idea: an online version of Catalina Marketing’s customized supermarket 
coupons. Buy a box of Tide, and you get a coupon to try a competing brand of wash- 
ing powder. Buy a six-pack of beer, and get a coupon for pretzels to go with it next 
time. Now we also have grocery loyalty cards (speaking of spyware! ), but grocery 
coupons remain an effective way for manufacturers to get consumers who buy 
Brand X to take a fling with Brand Y. 


(John Giuliani, a Catalina employee from 1994 to 2001, has been on Claria’s board 
since 2002. Catalina’s revenues for 2003 were about $470 million, and custom 
coupons remain the cornerstone of its business.) 


McFadden’s idea was to track (anonymous) consumers’ behavior on the Web and 


then serve them ads for competing and complementary products. Technically, the 
adware — now called the GAIN AdServer — sits on the user’s machine and sends 


WWW.RELEASE1-0.COM 


information on the user’s surfing behavior back to Claria, which uses the informa- 
tion to profile users and target ads. 


For example, users who shop for a car at the Ford website see ads for other auto 
makers. Consumers are tracked as individuals, but not by name or other identifying 
information. What made Claria’s service compelling to advertisers — and anathema 
to publishers — is that the publishers’ own tracking is limited to what a user did on 
each publisher’s own site. That is, if Alice checks the auto classified section of 
nytimes.com, then the Times can serve her an auto ad later on when she visits the 
international news section, which is not a great venue for contextual ads. By con- 
trast, if Juan visits Autobytel and then heads to the Times for his football scores, the 
Times has no way of knowing he’s in the market for a car. Publishers can benefit 
from ad networks that have a somewhat broader view of their customers and can 
target ads, but Claria can track a user wherever he goes. . .and rightly claim a much 
more detailed view of each (still anonymous) consumer’s behavior. 


Note that while information about the consumer remains anonymous, it is extensive 
and could be misused. No one suggests seriously that Claria has ever done so, but 
this is certainly an issue for people concerned with the “spy” part of spyware. 


In aggregate, Claria’s data can be used to watch users’ behavior as they surf and enter 
search queries, detect patterns and then use those patterns to predict the behavior of 
other users — and refine its targeting of ads to individuals. (In the 

same way, Amazon lets you know that other users who bought, say, 


“Freakonomics” by Steven Levitt also bought “Collapse: How CLARIA INFO 

Societies Choose to Fail or Succeed” by Jared Diamond.) Much like Headquarters: Redwood City, CA 
ChoiceStream (SEE RELEASE 1.0, MARCH 2005), Claria has developed an Founded: November 1998 
extensive taxonomy of the more lucrative consumer products so Employees: 225 


that it can properly target consumers who are in the mood for any Funding: S60 fillig from USV 


: : . A è Greylock, Technology Crossover 
particular thing. That enables it to get higher click-throughs and 5 

lti l d displ d Ventures, Investor Growth Capital 
ultimate y, more money per a ispiayed. and Crosslink Capital 


Advertisers: NetFlix, eHarmony, Orbitz, 


The service was launched in the summer of 2000, bundled with the Cendant, Motorola, Sprint, Priceline, 
Gator eWallet (a tool that provides auto-fill in of typical purchasing Travelocity, LowerMyBills, 
information such as name, shipping and billing addresses, credit RateMyMortgage, plus 31 percent of 


from ads placed b 
card numbers and the like, along with user IDs and passwords) and eens eee tase a 


other consumer utilities (listed above). Initially it was bundled just chia danas 
with the Gator eWallet, and displayed Gator-branded ads. But, says 


McFadden, “When we started developing other titles and support- 


SearchScout 


URL: www.claria.com 


APRIL 2005 RELEASE 1.0 25 


26 


RELEASE 1.0 


ing third-party titles, we needed a different name for the ad network, which we 
called GAIN, for Gator Advertising Information Network.” That proliferation of 
names, innocent enough (just think of Procter & Gamble or the many brands of 
Ford), took on an odor if you mistrusted the company and thought it was trying to 
cover its tracks. 


Claria always branded its ads, the company says, but it wasn’t until 2002 that it pro- 
vided information about itself and its uninstall process via a link from each ad. 
Given that, in the early years, the adware and the product — the Gator eWallet — were 
bundled in a single program that could be removed from Windows’ add/remove 
function, the company didn’t think it necessary. When the adware and the products 
became separate, the company added a question mark at the top of each ad with a 
link to more information about GAIN and its affiliate products. ..and uninstall 
instructions. (In 2003, it added a second link to the same information, from a “for 
more information” link at the bottom of each ad.) But the GAIN AdServer itself was 
not listed in the add/remove section, although it was in the Start menu and included 
uninstall instructions there: Uninstall the sponsored products and GAIN will be 
removed as well. 


Friends and enemies 

Meanwhile, the folks who mistrusted Claria’s profiling capabilities soon found allies 
in another group of people, who used cookie-based profiling themselves, but who 
were aghast at the notion of anyone advertising directly to users, without a media 
property as toll-collecting intermediary. In 2002, 16 news companies that operate 
websites, including the publishers of The Washington Post, The New York Times, The 
Wall Street Journal and USA Today, sued Gator (as it was then still called). The basic 
dispute was that Gator (and its growing number of competitors, but Gator was the 
easiest target) was flouting a holy tenet of the media business: that you reach con- 
sumers via a medium that displays advertising to support content. These upstart 
adware companies were reaching consumers directly — and their ads in many cases 
were obscuring the content of the publishers as those ads popped up over their 
pages. If you accept the implicit premise that the publishers own the users’ screens, 
at least while the users are visiting the publishers’ sites, then the publishers indeed 
had a case. Adware was “stealing” the publishers’ content, poaching the publishers’ 
advertising revenue, and wrongly claiming attention from consumers. 


The case was settled on undisclosed terms (with no payments in either direction) in 


early 2003; researchers say that to this day Claria does not display ads when users 
visit these plaintiffs’ sites (indicating that this was part of the settlement). 


WWW.RELEASE1-0.COM 


However, the publishers couldn’t make the most serious of their charges stick. That 
was that Claria’s ads were misleading consumers into thinking they were from the 
hosting website. The ads were reasonably clearly labeled, although certainly some 
consumers may have been confused. Claria is not ashamed of its own name the way 
some adware vendors seem to be — though that name has changed once. . .in a mar- 
ket where names seem to pop up like. . .well, pop-ups. 


More than a dozen later suits from 2001 to 2003, primarily from advertisers, charged 
that Claria was finding and using various companies’ URLs and trademarks to trig- 
ger the display of competing ads. These cases were also settled, and the question 
about the use of trademarks to trigger ads — rather than within ads — is still under 
debate, most recently in a case involving the use of trademark keywords in ad sales. 
For the record, we believe such use should be lawful. 


Separately, in 2003, a collection of advertisers including 1800Contacts, UHaul, and 
Wells Fargo, sued WhenU (pace 34) for the some sort of thing. WhenU prevailed on 


both counts (copyright and trademark) in the UHaul and Wells Fargo cases; it 
received a split decision in the 1800 case — winning on the copyright and enjoined 
on the trademark issues and showing competing pop-ups. The 1800 case is currently 
on appeal; both Google! and the EFF have filed briefs with the court supporting 
WhenU’s legal position on trademarks. The expected outcome: Neither websites nor 
adware own a user’s desktop; the user does. 


(Of course, this was all couched — especially in the press — as concern for the user. 
But in fact, the user was hardly considered by any of the parties involved — other 
than the courts.) 


Install me 

The way Claria got its software installed was also controversial. It started with its 
own eWallet and then brought out a range of other products. To reach consumers, 
Claria and its bundle partners bought ads on other sites. The ads promised free 
downloadable software in exchange for euphemistically described “marketing 
offers;” further disclosure was available through EULAs (end-user license agree- 
ments) that almost no one read. Though those offers were branded, they were in the 


1 In 2004 insurance agent Geico filed a suit alleging that Google infringes on its trademark when a rival's 
ad is displayed by AdWords next to the search results for “Geico.” A judge ruled that displaying the ad is 
not illegal, but has yet to rule on whether the use of the “Geico” name in the ad itself infringes its trade- 
mark, and if so who is to blame. For its part, Google's terms of service expressly forbid the use of trade- 
marked names in the text of ads, and it says it does its best to prevent such ads from being displayed. 


APRIL 2005 RELEASE 1.0 


27 


28 


RELEASE 1.0 


form of much-despised (by users) pop-ups, and not everyone was expecting them. 
Claria got a reputation for underhandedness, and its adware got the name “spyware.” 


Over the years, Claria has continued to add more disclosures before and during the 
installation process (as well as on the ads it displays), but in the beginning the whole 
business was obscure to consumers who were less knowledgeable and attentive than 
they are today. “We push our [installation] partners hard,” says chief marketing offi- 
cer Scott Eagle now, “and we won’t work with people who don’t follow our policies.” 
Most of Claria’s adware now leads the user through four of five disclosure screens — 
but only two of them are forced; the others come after the installation process starts 
(when they can be skipped); the KaZaA version has fewer screens. As Eagle notes 
with evident pain, about 20 percent of customers at each step would drop out at 
each screen of such a disclosure process, no matter what each additional screen says. 


And even now, Claria’s disclosures still often talk about “ads based upon the websites 
you view, although Claria’s new disclosure screens for its own products (not KaZaA) 
mention pop-ups specifically. However, the company is finally about to address one 
persistent complaint and put the GAIN AdServer into each user’s add/remove menu, 
starting with version 7.1, being rolled out over the next few months. 


But back in the period starting in 2001, other companies saw what Claria was doing 
and jumped onto the bandwagon. Some of them weren't as good at coding as the 
team at Claria, and their software worked badly, gumming up users’ machines. 
Others watched and copied how Claria was getting its software installed, but they 
piggybacked on those distributions and often dispensed with the user benefits and 
the disclosures almost entirely. 


An underbrush of third-party “installation partners” grew up around Claria, 
WhenU and other adware vendors. These are companies who will get software 
installed — no questions asked — for just a few cents a copy. Thus began the “super- 
bundle,” where a single piece of software would carry with it several different pieces 
of adware. While Claria required disclosure, many adware/spyware vendors did not. 
A user clicking to download the software might not notice or care about a list of 
those supporting “products” and their promise to “deliver relevant marketing 
offers.” Or a porn site might just ask you to “click here,” and the user probably would 
not bother to read the EULA. As one observer told us: “You have a gentleman sitting 
there at 11.30 on Friday night, and he’ll click on anything to see Britney Spears 
naked.” While porn sites usually have little trouble generating revenue, adware 
installations can bring in extra revenue as a side business. (As noted, not all adware 


WWW.RELEASE1-0.COM 


uses porn. DirectRevenue and 180solutions do, through third parties; it’s “less than 5 
percent” of 180’s business, that company says, and we believe it’s about 10 percent 
for DirectRevenue. WhenU and Claria do not work with porn sites.) 


Activex: Friction-free installs 

Yet installation was a cumbersome process. . .so Claria invented the concept of 
“trickling,” whereby the software would download in the background over several 
hours — convenient for people on dial-up. Claria also — to its later regret — invented 
(or at least discovered) “ActiveX downloads.” That is a much speedier, simpler instal- 
lation process (SEE ILLUSTRATION): When you try to download a piece of code contain- 


ing ActiveX, Windows displays a warning and the disclosure on a single screen, but 


then it manages the download automatically, requiring less user involvement (i.e. 


you do not have to download the installer first, find it, double-click it, and go 


through the install process). Claria kept its disclosure screens as part of the process, 


while many other adware vendors or third-party installers did not. However, it typi- 


cally shows all five disclosure screens after the 
install has begun, and users can choose to skip 
three of them (as users often do) as the install 
completes. Unfortunately, too, if a user for some 
reason has low security settings — perhaps 
through a previous encounter with some mal- 
ware — Windows fails even to display the warn- 
ing, and the software downloads automatically 
and without notice. After this was brought to its 
attention, Claria says, it engineered around this 
to ensure that its software would not be installed 
on systems with low security settings, but others 
took advantage of this handy loophole. 


Things went from bad to worse. The third-party 
installers, creative folks, kept discovering new 
tricks as old tricks lost their power. Moreover, 
Claria had a brand name to protect and an incen- 
tive to behave well. But hundreds of companies 
and entrepreneurs were competing to get users to 
download software onto their machines, many 
lured into the business by spam offers of untold 


APRIL 2005 


Security Warning ext 


IE PLUGIN 


Publisher authenticty venfied by Thawte Sever CA 


Cation: IE PLUGIN LTD asserts that this content is safe 
You shouid only install/view this contert £ you trust IE 
PLUGIN LTD to make that assertion. 


I Aways trust content from IE PLUGIN LTD 


Yes | No | More Info | 


ActiveX installation is a process whereby you can use Microsoft's 
own security alerts to trigger a download. Here’s how: Create a 
“CAB” installation package (similar to a ZIP file) that is signed 
with a special signature giving a description to be shown to the 
user. When the user views a Web page linking to this installa- 
tion package, the description text is shown to the user as a URL 
and the installer is run only if the user presses “Yes” (as long as 
the user’s security settings are standard or higher). Is this legally 
binding if the URL contains an (abbreviated) statement of con- 
sent? It may not be for long. But many adware companies have 
used this method. 


RELEASE 1.0 29 


30 


RELEASE 1.0 


riches for working from home. They had little incentive to behave well, and every 
incentive to grab share any way they could. 


As the market grew more crowded, it cost as little as 7 cents to get a piece of software 
installed on a user’s machine in situations where the installers stopped asking 
whether the customer wanted the software. One issue worth noting here: The best 
practice for payment for installations is revenue-sharing, which gives the installer an 
incentive to install the software only with users who will keep it and click on the ads, 
whereas pay-per-install incentivizes lax practices. 


Not everyone is as candid as WhenU founder and president Avi Naider (pace 34), 
who says, “We did stuff that was industry-standard. . .but that’s how the industry got 
a bad reputation.” All the vendors we could talk with insisted that they do not break 
the law. . .and in most cases that is probably true. 


But some relied, and many continue to rely, on third-party installers who do. 


Claria files to go public 

To many marketers, Claria was a success story. By 2003, its revenues had reached $90 
million (but have not been disclosed since), in part on the strength of its relationship 
with new download partner KaZaA beginning in September 2003. Its advertisers 
included Orbitz, Cendant (which has since acquired Orbitz), FTD.com and Netflix. 
It was highly profitable, with $26 million of operating profits on that $90 million in 
revenue. It had venture backing and board members from prestigious VC firms. 
Investment bankers (Piper Jaffray, Deutsche Bank, SG Cowen and Thomas Weisel 
Partners) heard the story and were delighted: a solidly profitable Internet company. 
Claria executives spoke at industry conferences; the company was a member of the 
Network Advertising Initiative (but not of the Online Publishers Association or 
Interactive Advertising Bureau). And so it filed for an IPO in April 2004. 


But that was just when things were getting tough in the marketplace. There were 
lawsuits and pending legislation; also in April of 2004 the FTC held a workshop in 
an effort to define spyware (and Claria was a clear target). Neither the company nor 
its bankers were prepared for the backlash Claria was getting as a lightning rod for 
the entire market and that market’s sometimes sleazy installation practices, lack of 
respect for consumer privacy, etc. Everything in the prospectus was true (we pre- 
sume), but it didn’t include that context. 


WWW.RELEASE1-0.COM 


In the summer of 2004, Claria pulled its offering. “There were a few key things to 
resolve, and I didn’t want to have to deal with them as a public company,” McFadden 
says now. One was the sudden proliferation of the anti-spyware tools he believes 
substantially misrepresent Claria’s software, and the impact this might have on rev- 
enues and profits, making them unpredictable (but in the wrong direction!). That 
put the anticipated spending on BehaviorLink (a new, just-launched service; see 
below) in a new light. The market does not react kindly to companies who show 
down numbers immediately after an IPO. And, McFadden says, “We didn’t need the 
money from the offering.” But it’s clear the company is heading for an IPO or a trade 
sale at some point and has clear incentives to improve its public image. 


The situation now 

Outsiders are fortunate to have lots of information about Claria from its year-old 
prospectus; not surprisingly, the company has published little new information since 
then. We believe its installed base is about steady at 40-plus million, but revenues 
and profits are surely under pressure as it makes the transition to a new, ultimately 
pop-up-free business model. 


The short tail of Claria’s business, its single biggest revenue source, is a “long tail” of 
many smaller advertisers whom it serves via Yahoo!’s Overture network, which pow- 
ers Claria’s SearchScout offering and accounted for 31 percent of revenues (or $28 
million) in 2003. These advertisers have asked to be included in Overture’s spon- 
sored link listings, but many of them may not be aware their ads are being syndicat- 
ed into Gator. In the other direction, Sharman Networks (which publishes KaZaA), 
is Claria’s single biggest installation partner, and KaZaA is definitely the most sticky 
of Claria’s software bundles. 


That deal with Sharman Networks is the company’s biggest weakness as it attempts 
to overcome a bad reputation, deserved or not. Whatever the reason, WhenU 
stopped using KaZaA in June 2003, and KaZaA moved to Claria in September 2003 
(under a contract that expires in September 2008). Although the Gain downloads 
are “clean” and well-disclosed, as we note above, KaZaA also gets revenue from a 
variety of other partners (including Cydoor) who arent so punctilious — we’re not 
certain, but we suspect that the others pay per installation. We can only speculate 
that Claria is unwilling or unable to meet the price of being KaZaA’s exclusive down- 
load partner. KaZaA also has its own legal problems with copyright issues; WhenU’s 
equivalent service, BearShare, has attracted less attention and fewer lawsuits, though 
it performs a similar function. 


APRIL 2005 RELEASE 1.0 


31 


32 


RELEASE 1.0 


The partnership with KaZaA, while lucrative, may end up causing Claria more trou- 
ble than it’s worth. Clearly, this deal is central to Claria’s presence on millions of 
desktops. But perhaps, if it can’t give up the deal, it could absorb the cost of paying 
Sharman to get rid of the other adware/spyware vendors who piggyback on KaZaA 
for distribution. Or perhaps it’s just hoping that new legislation and threats of prose- 
cution will persuade Sharman to drop those others on its own. This is one reason we 
believe Claria is sincere when it supports legislation, standards and other measures 
to clean up the market. 


And the future 

And so the company is now redesigning its business model as well as refining its 
practices. Overall, we believe growth of the company’s current business has stalled, 
but it is working hard to take its considerable assets and make use of them in a dif- 
ferent way. It runs the fifth-largest commercial Oracle database farm, the company 
says, with 120 terabytes of data covering the clickstreams of about 40 million con- 
sumers. That data is only a small part of what Claria potentially knows; the client 
program sends back to Claria only a subset of each user’s activity, mostly concerning 
sites of interest to its advertisers. “We leave the haystack behind,” says Eagle. 
Although the user base keeps churning and the data keeps getting stale, only the 
most recent data is of much value for predicting purchasing behavior anyway. 


Thus, Claria has concluded, if it can’t beat the publishers at their own game of reach- 
ing consumers with ads, then partnering with them may be more productive than 
fighting them in court. It is counting on publishers to be quicker to forgive its trans- 
gressions when they see the opportunity for a substantial uplift in their click- 
through and advertising rates. 


Last month it announced BehaviorLink, an ad-targeting service that will help web- 
sites optimize the use of their Web real estate through better customer profiling and 
ad targeting. After some time of transition, the company will likely get out of the 
pop-up business entirely. 


The context is simple. Website publishers have a finite amount of “inventory,” or 
space to run ads (unlike adware vendors, who can to some extent create it out of thin 
air — as long as they can get desktops). Their goal is to sell that inventory for as high a 
price as possible. The higher the click-through rate, the higher the price they get. 


Claria proposes to use BehaviorLink (an updated form of the GAIN AdServer) to 
improve click-through rates and quality by helping publishers display the right prod- 


WWW.RELEASE1-0.COM 


uct to the right person at the right time. “Consumer response can be increased 30 
times over with this kind of ad personalization,” says McFadden. Because Behavior- 
Link can watch all of an anonymous user’s behavior instead of just what a user does 
at one site or one ad network, it has a far better chance of knowing in relatively real 
time what offers are most relevant to a particular person at a particular time.! 


Like other ad networks, Claria will buy ad inventory on publishers’ websites, and will 
in theory be able to offer them better prices because its click-through rates will be 
higher and it will earn more from advertisers. It will also, presumably, be able to 
charge advertisers more because it will be offering user-friendly in-place ads (and 
with the publisher’s endorsement) instead of pop-ups, and it will have to pass 
through only part of those higher revenues. All that remains to be tested; all we 
know is that Claria cites impressive statistics. ..and that it has enough belief in their 
validity to go forward with this business. 


The real challenge for Claria will be to keep renewing its consumer base (even 
though it is under challenge) and to keep updating its expertise in and algorithms 
for data-mining. It is certainly not alone in this field, but it brings credible talents to 
a marketplace that includes Revenue Science, Tacoda, aQuantive and AOL’s 
Advertising.com — all companies with varying kinds of expertise in ad-targeting. 


Of course, those other ad networks and targeting services are quick to dismiss 
Claria’s new initiative. They point out that only about 40 percent of its user base 
lives in the US (as if foreigners didn’t have money too), and that only about 15 to 20 
percent of your average US website audience comprises GAIN users. Claria 
responds that in some cases it can buy only that subset of a publisher’s inventory 
that is comprised of its users; in other cases, it expects the higher click-throughs of 
its targeted ads to compensate for the 80 to 85 percent of the users whose response 
rates should be standard. 


Technically, Claria will still be collecting its data its old way — through client-side 
installation and data collection — but displaying the ads through (for it) the new 


1Currently, the big issue in the traditional ad-targeting market is the ability to aggregate cookie infor- 
mation across sites. That requires both consumer permission (usually granted somewhat vaguely under 
“share with our marketing partners” provisions) and agreements among the website owners. Although 
website owners don't like to share their data (even just for use by ad-targeters in anonymized and sani- 
tized fashion) with competitors, they do like the better targeting shared data can produce for them- 
selves...and the revenues it can produce from use of their data by one of the networks or targeting 
services. Net net, there's pressure for better targeting and higher yields from Web real estate. 


APRIL 2005 RELEASE 1.0 


33 


34 


RELEASE 1.0 


way — publisher-mediated ad delivery. Claria’s bet is that its better targeting will 
enable it to earn enough extra revenue to support its installation activities and still 
make more profits. 


Ironically, after all the fuss about disclosure, in this more politically correct model 
(among publishers, at least) Claria will not be labeling its ads, just as other ad net- 
works do not. The ads will appear to come straight from the publishers who operate 
the website. But it will continue to communicate its presence during the installation 
process and through information screens available to users linked to the ad-support- 
ed software products. 


Conclusion 

Claria, as the most visible player in this field, is trying to change its own industry. It 
desperately wants good, clean competition. Ironically, having started out with two 
propositions to two different markets — free software to one and better targeting to 
the other — it is now focusing on the second only. As the lure of free downloads 
becomes ever more besmirched and problematic, Claria may one day market the 
benefits of targeting (but without pop-ups!) to consumers. Just as the full under- 
standing of the adware proposition may have been confusing to consumers in the 
old days, so is the promise of targeted marketing still confusing to consumers these 
days. But consumers have a habit of learning — especially when they are presented 
with a clear benefit. It would be great to see Claria successfully selling its service on 
its own merits: More ads you like, and fewer ads you don't! 


WhenU: Back to its roots 

Much as Claria was the continuation of an in-house project, so was WhenU. WhenU 
was formally founded in 2000, a couple of years after Claria, but it began in 1999 as a 
project within an incubator run by the Boston Consulting Group. The founders, 
who left BCG in 2000 and bought out the project, were more analysts than mar- 
keters, and saw the Net as a tool to empower individuals. They also saw an opportu- 
nity in selling users a tool that would allow them to control the kinds of ads they see 
and to compare the offerings of different vendors in real time. 


They called the product WhenUShop and originally gave it away for free. But they 
quickly found that it cost more to market it to consumers than the ad revenues it 
could generate. It’s a compelling proposition — but the timing was wrong. Most con- 
sumers weren't ready to go to a website and download and pay for a program that 


WWW.RELEASE1-0.COM 


would help them get competitive ads — though a more recent instantiation of that 
idea — Sidestep — is doing quite well in the vertical market of travel. 


So the company turned to bundling a stripped-down version that contained free 
coupons and revenue-generating ads as ad-support for popular free downloads, fol- 
lowing the model popularized by Claria. (WhenU also continues to sell a fully-fea- 
tured version of the WhenUShop shopping companion for $24.95 per year; more on 
this below.) 


Originally conscious of consumer-privacy issues at a time when cookies were still 
controversial, WhenU built its software to keep all the user’s data on the user’s 
machine. Rather than send clickstream information to a server, each WhenU client 
follows rules — updated periodically and automatically by requests from the client — 
to show certain kinds of ads: For example: If a user visits Amazon, show ads from 
Barnes & Noble. (That’s on the basis of an interest in books, general counsel Adam 
Lichstein hastens to note; although the company interprets “visit to Amazon” to 
mean “interest in books,” it does not sell ad campaigns that target a specific product, 
company or trademark.) And in addition to serving direct advertising, WhenU can 
convert non-search traffic into the equivalent of a search by displaying sponsored 
search results from Infospace, from which it earns ad revenues. 


WhenU’s server knows what ads were requested and which of those were clicked on, 
but it doesn’t know which machines did so. Though the software watches the user’s 
behavior, it runs rules locally to determine what kind of ads to ask the server for. 
Among other things, that limits the load on WhenU’s servers. It also allows WhenU 
to deliver targeted advertising without profiling individual users — even anonymous- 
ly, and without maintaining any user database. 


Meanwhile, says new CEO Bill Day, formerly with About.com: “We are constantly 
mapping the Internet to ensure that our rules are as accurate as possible across a 
wide range of categories; and we periodically update the clients with these rules. 
When an advertiser is added to the system, we update the database of ad inventory 
so that the client knows there’s an ad. Accordingly, when the client identifies that the 
user is interested in yachting (which would happen whether or not there’s ad an in 
inventory), it can see that there’s an ad and sends a trigger to deliver the ad.” 


As the Internet advertising market turned down, WhenU adopted more clever tricks, 


tied less to the ad experience and more to getting and keeping an installed base of 
users in the first place. Specifically, it often did not make it clear that its software was 


APRIL 2005 RELEASE 1.0 


35 


36 


RELEASE 1.0 


being downloaded along with whatever program the consumer really wanted. That 
worked, but it gave WhenU a deservedly bad reputation for tricking consumers. (Of 
course, it wasn’t operating in a vacuum, as noted above in the Claria section.) It also 
started using ActiveX installs. 


It also lucked out in August 2001 and got a distribution deal with KaZaA — a lucra- 
tive opportunity that it eventually ceded to Claria in June 2003 because, says founder 
and president Avi Naider, it “saw too much risk in being dependent on that embat- 
tled file-sharing network.” (It subsequently partnered with BearShare, another, less 
controversial —or at least less visible — file-sharing network.) That helped it grow 
rapidly for a couple of years. After that, it started working with a variety of bundling 
partners until about a year ago. It still gets more than 95 percent of its installations 
through bundles with third parties, but it now contracts with the software bundle 
partners directly and requires them to use WhenU exclusively on any products sup- 
ported by WhenU. 


Meanwhile, rather than sell ads itself, WhenU had outsourced ad sales to Soho Digital 
and four or five other companies. In early 2004 WhenU asked Soho to be its exclusive 
sales company; Soho Digital rejected the overture, and was eventually acquired by 
DirectRevenue (pace 43) last year. Now WhenU handles its ad sales internally. 


WhenU’s original investors were loath to make too many changes to this profitable 
model, but Naider, closer to the business and the market, sensed that the broader 
world was about to reject his company’s practices. When the company started look- 
ing for new money last year, then-CEO Naider made a different sort of pitch: It 
wanted money and a partner with media expertise to help it get clean, rather than to 
get rich. And it would take a lower valuation to do so. 


Cleaning up nicely 

On the other side was Ralph Terkowitz, former VP technology at The Washington 
Post Company and founding CEO of Washingtonpost.com, and now a general part- 
ner at ABS Capital and a TRUSTe board member. “They liked me because what they 
were attempting to do resonated with us. We didn’t care that they were dropping 
their EBITDA in the short run. We viewed it an investment in making a better com- 
pany. There’s no doubt this company could make an enormous amount of money if 
they were sleazy.” 


Before investing in WhenU, Terkowitz surveyed the market extensively, talking with 
some of the companies we discuss here and others that we do not cover. He sees 


WWW.RELEASE1-0.COM 


some signs of progress, he says: “This won't be a good industry if there’s only one 
good player. Some [of the other ones] say all the right things, but I don’t think they'll 
all bet their future on it the way WhenU is doing.” 


Adds Terkowitz: “We identified contextual advertising as a very interesting area for 
investment: It is high-growth and there are opportunities for solutions that serve the 
advertiser, publisher and consumer to emerge as big businesses. After looking at a lot 
of companies, WhenU emerged as a winning opportunity. They are committed to 
developing a media company based on best practices. They were cutting their rev- 
enue and cutting their EBITDA, but building a much better business. We were 
pleased that they had done much of the heavy lifting on their own. Under Bill Day, 
and after we made our decision [to invest] but before we closed, they have continued 
to invest in improving their value proposition.” 


ABS first started talking with the company in April 2004; the investment finally 
closed 11 months later, on March 15, 2005. In November 2004, industry watcher Eric 
Howes caught sight of a drive-by download of WhenU software. He brought it up 
with the company, and the distributor involved is gone. (Howes has seen no such 
errors since, though he remains wary.) 


During the period of ABS’s due diligence, the company has made a number of new 
hires, most notably CEO Bill Day. It has also hired CTO Sanjoy Paul, a former 
research director from Bell Labs and before that CTO of Edgix, a start-up in the 
caching and content distribution space, and general counsel Adam Lichstein, previ- 
ously in a variety of business roles at Razorfish while it returned to profitability and 
was sold to aQuantive, and before that an IP lawyer at Morrison & Foerster. 


Rigors of reform 
Day recites a litany of changes since he joined the company last October: 


“We stopped doing ActiveX marketing in October 2004 proactively because I didn’t 
like it vis a vis user consent,” he says. “We put out a press release challenging others 
in the space to follow. They didn’t, but many ad networks ended up dropping it by 
their own decision.” That is, ad networks such as Advertising.com (which was 
bought by AOL last year) and Avenue A (owned by aQuantive) no longer take ads 
that contain ActiveX download capability. 


Day continues, “We did a major audit of our distribution partners to ensure we had 
excellent disclosure (such as BearShare) and that they shared our philosophy on pro- 


APRIL 2005 


RELEASE 1.0 


37 


viding user value. This resulted in a cutback in some partners.” WhenU has also 


changed how it compensates its partners, dropping pay-per-install relationships and 


moving all of its partners to revenue-sharing arrangements by the end of 2004. 


“We established ad-frequency limits that forced the company to adopt an ‘every ad 


display is precious’ mentality,” he continues. “These limits are currently 3 in any sin- 
gle hour, and 8 over the course of any 24 hours. Most users see less than this as a 
practical matter, as the primary driver of ad delivery is still whether a contextual 


WHENU INFO 


Headquarters: New York, NY 

Founded: February 2000 

Employees: 60 

Funding: $20 million from ABS Capital 
Partners 

Advertisers: more than 400 including 
Priceline, Merck, Capital One, British 
Airways, Monster.com, JPMChase, 
Cingular, the Fox Network and 
Ameriquest 


URL: www.whenu.com 


match exists... We also allow several exceptions to this, for example 
when a user searches [on a specific term for which there is relevant 
ad inventory] or when they visit a commerce site we have a coupon 
relationship with, because in both cases we believe that the user 
value exists independent of the limits above.” That’s a reasonable 
exception. . .and one that is probably not worth explaining to users 
as long as no explicit promise is made about frequency in the first 
place. If transparency rules in this market, such things will be taken 
into consideration by the third-party opinion-setters and anti-spy- 
ware vendors who will guide users’ choices. 


Beyond that, says Day, “We spent and continue to spend an extraor- 
dinary amount of time on the ad contextuality and format, making 
ads more and more targeted to users’ interests. “Exactly the right ad 
at exactly the right moment’ is our goal. We’ve gotten measurably 


better but it’s an evolving thing we seek to improve consistently over time. . .as I have 


said I see our business as the ultimate low-frequency, high-context ad model.” 


He concludes: “The measure of our progress is click-through rate. Across our entire 


base of users (not a small subset or test sample) we have seen a 17 percent decrease 


in ads per user per day since October 1. Nonetheless, as a result of our focus on con- 
textuality and a more qualified user base, our click-through rate has actually 
increased by 43 percent in the same time frame” — which works out to 19 percent 


more clicks per user. 


Over the same time period, the installed base has declined slowly, Day says. That’s 
because of the tactics of anti-spyware vendors, he adds, and it masks a drop in unin- 


stall rates that he believes will occur because of WhenU’s own improved practices. 


“Our belief is that better business practices (along with coming legislation, our 


unique privacy-oriented technical architecture, a maturation of the anti-spyware 


38 RELEASE 1.0 


WWW.RELEASE1-0.COM 


industry and a savvy consumer that appreciates the benefits of targeted ads) will pay 
off for all the tough decisions we have made over the last six months...” 


In addition, Naider has been working actively in Washington in an attempt to influ- 
ence legislation; he gets good marks for sincerity from people who have worked 
with him. 


NextU? 

What next for WhenU? It occupies an interesting position. With its data-only-on- 
the-desktop approach, it can’t offer market research as Claria does, but it too is plan- 
ning some kind of collaboration to deliver more targeted ads in conjunction with 
media partners. (New director Terkowitz should be helpful in establishing bridges 
for WhenU with that community.) And with a smaller installed base and its own 
(commendable) restrictions on marketing practices, it will likely remain smaller. 
However, in an increasingly sophisticated market, it may be able to reach a hard-to- 
reach-otherwise base of aware consumers who understand and value its approach 
data-on-the-client approach. (Of course, we are talking “aware,” not paranoid.) 


Then there is WhenUShop, WhenU’s original product. It offers users a discrete, con- 
crete benefit to users — competing offers in specific vertical domains. WhenU is work- 
ing on software that would enable it offer not just targeted ads but specific offers to 
consumers. For example, if you're checking flights from New York to Albuquerque 
for May 12 on Orbitz, it could lead you to the results for the same query on Expedia. 
As noted, Sidestep is already doing this kind of thing for the travel vertical. 


This is an area where there is ample room for competitive differentiation, for ven- 
dors willing to do the work. It requires software that can understand the products 
that a user is looking at and figure out what products on other sites meet those crite- 
ria — in essence, reverse-engineering vendors’ sites — on behalf of the consumer. Like 
Sidestep, such a capability may be controversial among vendors (would it be invad- 
ing their privacy?), but it would surely win a loyal following among consumers and 
grudging acceptance from advertisers, as Sidestep has. There’s a lot of value to be 
added. For example, imagine a feature that could not only compare prices, but could 
also query the different websites to find out which flights are least full, still have win- 
dow seats, or are showing a particular movie. Currently that’s a laborious, one- 
flight-at-a-time process that could easily be automated — but tedious and complex 
enough to give some fleeting competitive advantage to the company that does so. 
(And then imagine a social-network feature that could seat you next to someone 
compatible. That’s not in WhenU’s plan. . -yet!) 


APRIL 2005 RELEASE 1.0 


39 


40 


RELEASE 1.0 


In the end, WhenU’s adware could become something of a user-centered shopping 
assistant, with specific knowledge in a variety of product domains (SEE CHOICESTREAM, 
RELEASE 1.0, MARCH 2005). It would bring WhenU back to where it started, but in a 
market that is more ready to accept that proposition. 


18Osolutions: Fixer-upper 

In June 1999, up in Seattle, longtime friends Keith Smith and Daniel Todd ran a 
small online advertising company called ePIPO. Their basic product was a streaming 
display that showed ads at the bottom of a user’s screen; they sold this service to free 
or discount ISPs (less-known competitors of such companies as Juno and NetZero) 
who would deliver the text streams and who used their share of 180solutions’ rev- 
enue to defray their costs. 


EPIPO’s revenue-producing customers were advertisers who paid for the messages 
to consumers, who occasionally clicked on the streaming banners and were shown 
ads. In short, their product was not streaming video but streaming (clickable) ban- 
ners, and even in 2000 it failed to pass the grade as an advertising medium. 


The team reduced to five from about 18, hunkered down and came up with a differ- 
ent proposition. The company changed its model, but the transition was tough. It 
contemplated bankruptcy, but it couldn’t afford to pay a bankruptcy lawyer. Slowly, 
the new model caught on. Says Smith, now CEO: “Rather than showing ads nonstop, 
we started time-shifting ads. You would pay for the software by watching the ads, but 
they wouldn’t have to interrupt your game.” It made more sense for advertisers, too. 
Juan was not going to interrupt his game of SpyShooters to buy a new DVD player; 
Alice preferred to see her ads while she was shopping, not while she was checking the 
weather. . .and so their response rates were higher when the ads matched the pages 
they were browsing rather than the software that the ads supported. 


In another innovation, 180solutions generally dispensed with the pop-up ads made 
familiar by its competitors; it pops up browser windows preloaded with pages from 
the advertisers’ websites — often specific contextually determined pages of those sites. 
Le., it offers “pop-up” browser windows rather than pop-up ads. That confused many 
users, but it made for a better response rate. “Each time you make the user go through 
another action [such as clicking on an ad to get to a page], you lose customers,” says 
Todd, now president. Moreover, says Todd, “The advertisers that are most successful 
allow us to manage their campaign and allow us to deep-link to specific product 
pages” based on what users have done while visiting competing merchants’ sites. 


WWW.RELEASE1-0.COM 


180 excuses 

The new 180solutions grew rapidly on the strength of this approach. But, like many 
of its competitors, it was sloppy about installations. We don’t know the full extent of 
the problems, but the company does admit that in the summer of 2003 it was 
installed in drive-bys on a number of occasions. It’s not clear how many were 
installed or how many remain, but either that single slip-up — or perhaps many like 
it — helped 180solutions to develop a bad reputation. Says Todd: “We were in busi- 
ness development. We didn’t know we needed to be policemen, too.” 


In short, the company exerted little control over its distributors, mostly policing 
them after the fact. For example, it sued one of them, Aztec Marketing, in the sum- 
mer of 2004, for “violating [180solutions’] code of conduct.” The suit is still pending. 


Researchers say the practices are ongoing. Ben Edelman posted a video of a 180 
installation through security holes (without notice or consent) in November 2004, 
and says he has seen this repeatedly since then. The company blames any problems 
on third parties. 


Whatever the situation then, the company now has revenues greater than $50 mil- 
lion with a scant 250 employees. . aand a greater ability and incentive to act as police. 


It has been profitable since mid-2002, the company says, and raised $40 million 
from Spectrum Equity Partners of Menlo Park, CA, in March 2004. We are not sure 
whether that was for equity or (high-return) debt. 


The company is gradually pulling together its disparate partners, bundles and other 
offerings under the Zango name, replacing 180Search Assistant, its former umbrella 
brand. It now has a team of 60 developers, of which half are working on consumer 
software such as games, content, utilities and UI for the Zango site, and about half 
are working on targeting and optimization and other software. 180’s products get 
tens of thousands of installs through Zango (from people downloading games and 
the like) per day. Zango Games, still not a year old, is now the 15th most trafficked 
online gaming site. 


Extending control 

Earlier this month, 180solutions acquired one of its distributors, CDT, based in 
Montreal. (The name used to be Canadian Day Traders and has nothing to do with 
CDT.org, the website for the Center for Democracy and Technology; CDT’s business 
partners include porn sites — but “only 10 percent,” notes Todd.) Todd says that as 


APRIL 2005 RELEASE 1.0 


41 


180solutions imposes its rules on CDT partners, “We expect some of those partners 
to go away and we’ve turned off a substantial proportion. While nothing is foolproof, 
that will substantially reduce the occurrences [of questionable installations] and then 
we'll continue to enforce our rules, through litigation if necessary.’ He expects to 
reduce CDT’s active partner count by about half to 800; those tend to be the smaller 
partners, so the installation volume should drop by only a quarter, he says. 


He adds, “We can now monitor their behavior much more closely.” One feature 180 

plans to introduce into CDT’s content-syndication software is that the partners can’t 

actually install 180’s adware themselves; they can only refer users to a 180solutions 
page that may carry their own branding (e.g. of CDT-Partner.com) 


180SOLUTIONS INFO 


but that is operated by 180solutions. It will be interesting to see how 
partners try to get around that, but we are sure they will try! 


Headquarters: Bellevue, WA 


Founded: June 1999 


Employees: 250 


Funding: $40 million from Spectrum 


Advertisers: undisclosed 


URL: www.180solutions.com 


Equity Partners 


Our take on all this is that the adware business needs some friction, 
and that if 180solutions succeeds in installing all the proper controls 
and know-your-customer processes, there may be little left of the 
CDT acquisition over the long run. But that’s our opinion. 


42 


RELEASE 1.0 


Overall, says Todd, the company plans to manage at least 60 percent 
of installations in-house (including through the former CDT), up 
from about 2 percent last year. That is indeed a huge change, but the remaining 40 
percent — still paid per-installation — is likely to generate continuing problems, based 
on 180solutions’ own past experience. 


Indeed, we can’t find compelling evidence that the company has really cleaned up. 
The new disclosure screens the company touts aren’t always used; anti-spyware 
researchers continue to find instances of 180Search Assistant being installed or 
upgraded/reinstalled without proper notice to consumers. The company recently 
ceased to be a member of the Linkshare affiliate network. We got conflicting versions 
of who pushed whom first, but the company is no longer among Linkshare’s com- 
munity of affiliates. 


The company is extremely focused on numbers (to the point that it has a real-time 
update display in its offices showing revenues, installs, customer satisfaction survey 
responses and other metrics minute-by-minute). It also tracks conversion rates, and 
sets a $15 CPM threshold on pricing. “We optimize out keywords that aren’t work- 
ing very well. We make active decisions to reduce the frequency to increase the trans- 
actions,’ says Todd. 


WWW.RELEASE1-0.COM 


If the company could clean up its installation practices, it might have a compelling 
proposition for advertisers. 


(By way of our own disclosure: In another instance, CNET Networks (Release 1.0’s 
parent company) and 180solutions have traded cease-and-desists arising from the 
operation of 180solutions’ advertising network and 180solutions’ designation as 
spyware in certain anti-spyware programs. Each company is currently researching 
the other’s claims.) 


DirectRevenue: Indirect presence 

DirectRevenue was founded in New York in 2002. Two of its founders, Daniel 
Kaufman and Joshua Abram, had previously worked together at a company called 
DASH, with a product designed to be a user’s shopping guide (as in Direct Advice to 
SHoppers). The company raised $60 million, but in the end the product was a flop. 
The Dash “online shopping tool” was named Best Shopping Tool of 1999 by Time 
magazine, and Abram got more than 140 leading merchants to participate in the 
Dash Merchant Alliance, including GTE, United Airlines, Priceline.com, TD 
Waterhouse, Val-Pak, AskJeeves and About.com — but this early version of adware 
failed to catch on with consumers. In 2001, the company was honorable enough to 
return some of its investors’ investment before closing down. 


In 2002 Kaufman and Abram took a brief look at another, more spylike business sell- 
ing data to list-brokers (as reported in Newsweek last November), but, Abram 
explains, it was “in another venture, [where] we did think about a data business but 
abanddoned it in 2002. Total revenues from this effort were less than $20,000.” 


Also, many people in the business associate DirectRevenue with VX2, one of the 
most notorious spyware products (if only because it had a name while the worst of 
the stuff usually doesn’t.) In fact, VX2 came from a predecessor company with the 
same founders that primarily built adware software on a contract basis for third par- 
ties interested in entering this business. Abram claimed vague lack of responsibility 
for it to Newsweek last fall: “When you license the stuff, it’s difficult to maintain per- 
fect control of what everyone does with it, frankly.” 


Later in 2002 Kaufman and Abram reunited to found DirectRevenue, a sort of 
reworked Dash. Kaufman is DirectRevenue’s chairman while Abram is CEO. This 
time around, the founders took a more cost-conscious approach and got its software 
installed with less overhead, through third parties. Like its competitors, 


APRIL 2005 RELEASE 1.0 


43 


DirectRevenue used a broad collection of distributors for its software, which shows 
ads for marketers such as AmericanSingles, Priceline, Tickle and Autobytel. 


From a standing start in 2002, DR hit revenues of about $50 million in 2004 — nice 
work if you can get it! The company’s practices were not atypical of the spyware 
standards: surreptitious downloads, a proliferation of names that made it hard to 
figure out who was behind its ads, installation partners in the porn business (though 
it has dropped several of them), spurious affiliate commissions and so forth. In addi- 
tion, the company showed little restraint in its advertising: Users of its software were 
peppered with ads but had trouble figuring out how to get rid of it. Pointers to the 
uninstall instructions were hidden in the EULA, and required the user to go a specif- 
ic website, MyPCTuneUp.com. 


DirectRevenue now advertises that location on a variety of paid-search services 
including Google’s AdWords, and also includes indirect links to MyPCTuneUp in 
most of the ads it displays. Says Abram: “We do want to offer a clear path that a nor- 
mal human being can understand. Anyone who Googles our brands will find a link, 


DIRECTREVENUE INFO 


Headquarters: New York, NY 

Founded: November 2002 

Employees: 100 

Funding: $20 million from Insight 
Venture Partners, plus $7.3 million 
debt from Technology Investment 
Capital Corporation 

Advertisers: AmericanSingles, Priceline, 
Tickle, Autobytel 


URL: www.direct-revenue.com 


paid for by DR, that leads directly to our uninstall tool, at 
MyPCTuneUp.com. Our branded ads also lead to the same facility. 
On any given day, between 5,000 and 10,000 consumers successfully 
use MyPCTuneUp to remove our software from their PC.” That’s 
better than nothing, but Microsoft user interface standards dating 
to Windows 95 call for use Microsoft Windows add/remove tool; so 
does most of the pending legislation. Most people might not think 
to Google their software to find out how to get rid of it. 


Like many of its competitors, DirectRevenue asserts in its EULA the 
right to reinstall its software unless the user removes it through 
MyPCTuneUp.com website. The ostensible reason for this provision 
is that the user may not have wanted it removed; sometimes com- 
peting spyware vendors remove one another’s products to leave 


more of the user’s attention for themselves. Last fall, Avenue Media, another adware 


company, filed suit against DirectRevenue charging that DirectRevenue was deleting 
AM’s adware and costing Avenue Media $7,000-$10,000 a day in lost revenue. 
DirectRevenue counterclaimed that Avenue Media, as a distributor of DR’s 
ABetterInternet software, understood that under ABI’s EULA, the end-user autho- 
rized ABI to remove other adware. Indeed, Avenue Media itself was responsible for 
obtaining the end-user’s consent to the ABetterInternet EULA. DR alleged that 
Avenue Media and its affiliate Flying Crocodile were mining their customers’ 


44 RELEASE 1.0 


WWW.RELEASE1-0.COM 


Outlook address books and sending out porn solicitations to those users’ contacts. 
Says Abram: “A federal judge denied Avenue Media’s motion for a temporary 
restraining order and a preliminary injunction to prevent DR from removing 
Avenue Media’s adware. After the court denied Avenue Media’s motion, Avenue 
Media folded their tent. The case was settled. DR paid no money to Avenue Media as 
part of the settlement.” 


Ironically, one source of DirectRevenue’s success was leavings from WhenU: Third- 
party ad broker Soho Digital created more demand for ad placements than WhenU 
could supply, and DirectRevenue was happy to step into the breach by offering ad 
delivery to its users, as were several other adware companies. In the spring of 2004, 
WhenU told its resellers they either had to work with WhenU exclusively or not at 
all. Soho Digital chose not to accept this ultimatum and last September it was 
acquired by DirectRevenue. 


Direct consequences 

Also last year, DirectRevenue started to shift focus, according to Abram. In April 
2004 it took a $20-million investment from Insight Venture Partners (Insight’s exec- 
utive advisory board includes Eric Schmidt of Google, Ray Lane of Oracle and now 
Kleiner Perkins, Robert Rubin and Scott Cook). A few months later, it raised another 
$7.3 million in debt from the Technology Investment Capital Corp. 


In May 2004, the company hired Daniel Doman, former director of engineering at 
DoubleClick, “with the intent that his background would be enormously helpful in 
the development of new business models, particularly the non-pop-up behavioral 
targeting” business, which would sell ads via publishers rather than show them as 
pop-ups directly to consumers. DR also recently hired a privacy consultant, Alan 
Chapell, who previously worked at Jupiter Research, to perform a privacy audit on 
the company’s policies and practices. And as noted, it acquired Soho Digital in 
September, bringing its ties with advertisers in house. 


Since then, DirectRevenue has begun cleaning up its act. . although competitors and 
observers say the progress is spotty. By all accounts, DirectRevenue’s installed base of 
users is flat, which we consider to be a sign of improved practices. 


First of all, in response to a changed climate, DR started to brand its ads. “We have a 
new client that is fully branded called Aurora,” says Abram. “It will be a substantial 
portion of the base. But we have to change the user’s client, so it’s not rolled out to all 


» 


our users.” And it still requires the use of MyPCTuneUp.com for permanent 


APRIL 2005 RELEASE 1.0 


45 


removal. Other new brands include Ceres and SolidPeer. The branding consists of 
the software’s name within the body of the ad, a question mark with links to explain 
where the ad is coming from and clear instructions for removal. Says Abram, “We 
have used several brands because we are working closely with partners to distribute 
our clients and want to keep our brands partner-centric. ‘SolidPeer, for instance, is 
used in our distribution with Morpheus and the name is intended to remind con- 
sumers of the value (P2P software) that they get in exchange for the ads. New clients 
being released for distribution are fully branded. On the legacy base, the vast majori- 
ty of all ads are now branded. Most of the base that is not branded are old MS oper- 
ating systems, where we’ve had technical issues but expect to complete an upgrade to 
a branded client by the end of May. The company also started a live customer-sup- 
port chat room in January 2005.” 


Revenues of about $50 million still indicate an extremely profitable company with 
about 100 employees. That includes 35 from Soho Digital, though employment is 
likely to grow further assuming DR gets serious about monitoring its partners’ 
installation practices or about controlling installations in house. Among other 
things, engineering VP Doman describes a new automated crawler his team has 
developed; it surfs DR’s partners’ sites and mimics users’ behavior using real 
browsers, looking for exploits and infractions. It is in continuous daily use. “We 
actually haven’t found any infractions from any distributors since we have been 
using the crawler,” says Doman. “But whenever we read in the press about anyone 
who has been using an exploit, we take the opportunity to test our crawler against 
the site or exploit to make sure that we can catch it. It works; we do catch it.” 


Following others’ footsteps 

Although DR is responding to market, media and legal pressures, it prefers to stay 
out of the limelight. It is making no announcements yet, but the company plans to 
focus more on customer profiling in conjunction with publishers, says Abram, and 
to reduce its reliance on desktop-triggered pop-ups — moving along the same path as 
Claria and looking to make deals with media partners. In short, it’s not interested in 
leading the way, either in transparency or in braggadocio. But we do believe it has a 
rational self-interest in making the transition to a new business model and practices. 


46 RELEASE 1.0 WWW.RELEASE1-0.COM 


The Next Chapter: Redemption at Last? 


Where the story goes from here is unclear. The spyware market may be susceptible to 
some of the same solutions as spam: better identification and authentication of 
sources, not so much by law as by consumer demand, and with the help of institu- 
tions — NGOs and private merchants and advertisers and technology vendors — 
responsive to that demand. 


As with spam, it will require actions by a variety of parties: 


e Platform vendors need to provide better security. 

e Users need to (be educated to) know enough to buy anti-spyware tools, 
and to look for disclosure messages. 

e Anti-spyware vendors need to provide better clarity and editorial voice 
about what actions they are recommending the user take and greater 
transparency about the criteria they apply. In addition, it would be helpful 
for them to offer an integrated parental-control feature. 

* Government needs to legislate meaningful disclosure requirements and 
acceptable behavior for adware. In addition to enabling prosecution of the 
bad guys, that will give the good guys a hook to hang onto as they climb 
the slippery slope to goodness, with competitors dragging them down. 


But much of it depends on the adware vendors themselves. 


WhenU and Claria both have cleaned up their acts considerably over 
the last few years. They have an incentive to do so. Both have active 
outside investors and Claria at least has clear aims of going public, 


: hens satis COMING SOON 
while WhenU has a new CEO and venture capitalists who aren’t in it 


for friendship. The progress made by DirectRevenue and 180solu- 
e Internet(worked) TV 


e genetics, testing and health 
e identity and life on the Web 


tions is less visible, and researchers continue to catch them at old 
tricks (though they don’t give Claria or WhenU a clean bill either). 


But even though the companies have all improved their practices to 
. 2 e And much more... (If you 
some extent (and have clear incentives to stay clean), many people 
i i : i : know of any good examples of 
may not want to give them absolution for their misdeeds. While ie 
rene . A . the categories listed above, 
they may not be tricking new customers into downloading their 

i sane please let us know.) 
software, they still show ads and earn revenues from millions of 


users, not all of whom asked for the software in the first place. 
Although customer churn in the adware business — as in down- 


APRIL 2005 RELEASE 1.0 47 


loaded software in general — is high, each company may have a legacy base of users 
who have had the software for years precisely because they don’t know how to 
remove. Does any adware company have the courage to go to all its long-time cus- 
tomers and ask them to opt in — again or for the first time? (SEE PAGE 17.) 


That would be an act of courage. . .but it would also clear the air and let them go for- 
ward free of the cloud of suspicion that still — and deservedly — hangs over each of 
these companies. 


It’s that simple. What would be the consequences? How many would say yes. . .and 
how many would say no? Is honest adware even a viable proposition? No one 
knows. . .but isn’t this all about information and transparency. Wouldn't it be nice 


to find out. . .now rather than later, when you're forced to? 


How about it, guys? Wr 1.0 


48 RELEASE 1.0 WWW.RELEASE1-0.COM 


Resources & Contact Information 


Keith Smith, CEO, 180Solutions, 1 (425) 279-1200 

Ashley Wolfe, PR Contact, 180Solutions, ashley@barokas.com 

Paul Laudanski, Webmaster, CastleCops, 1 (609) 510-3894; paul@castlecops.com; (online: Zhen-Xjell) 

Jeff McFadden, CEO, Claria, 1 (650) 980-1301; jeff@claria.com 

Josh Abram, CEO, Direct-Revenue, 1 (646) 613-0376 x1; fax, 1 (646) 613-0386; joshua@direct- revenue.com 
Daniel Kaufman, Chairman, Direct=Revenue, 1 (646) 613-0376; fax, 1 (646) 613-0386; Daniel@direct-revenue.com 
Benjamin Edelman, Student & Consultant, Harvard University, ben@edelman.org 

Rob Cheng, CEO, PCPitstop.com, 1 (843) 293-6110; chengrob@yahoo.com 

Dave Methvin, Chief Technology Officer, PCPitstop.com, 1 (410) 730-8818; dave@pcpitstop.com 

Eric Howes, Researcher, Spyware Warrior, ehowes@insightbb.com 

Suzi Turner, Owner & Consultant, Spyware Warrior, suzi@spywarewarrior.com 

Richard Stiennon, VP, Threat Research, Webroot Software, 1 (303) 442-3813 x176; rstiennon@webroot.com 
Bill Day, CEO, WhenU, 1 (212) 631-2119; bday@whenu.com 

Adam Lichstein, General Counsel & Head of Corporate Development, WhenU, 1 (212) 631-2144; 


alichstein@whenu.com 


For further reading: 


Anti-spyware scan results, by Eric Howes: http://www.spywarewarrior.com/asw-notes/asw-results.htm 
FTC Spyware Workshop: http://www.ftc.gov/bcp/workshops/spyware/ 


APRIL 2005 RELEASE 1.0 49 


Calendar of High-Tech Events 


JUNE 1-3 


JUNE 9 


JUNE 11 


JUNE 13-15 


JUNE 13-16 


Wireless Community Conference - Monterey, CA. This Conference covers 
the latest information in wireless technology and its use in the classroom, field 
and research settings, offering attendees hands-on demonstrations with indus- 
try experts, workshop sessions on the latest 802.11 technologies, panels and 
forums with leaders in the world of mobility, and e-Learning on campus and 
in the community. Register on the website or contact Karen Letendre, 1 (831) 
582-5384, karen_letendre@csumb.edu, with questions. 
wetec.csumb.edu/WeTEC_conference.htm 


Consumer Reports WebWatch: "Trust or Consequence" Conference - 
Berkeley, CA. "Trust or Consequence: How Failure to Disclose Ad 
Relationships Threatens to Burst the Search Bubble" is a one-day conference. 
Learn how search engines are making millions at the risk of losing customer 
trust, and join in the discussion about how to improve the way search results, 
including health information, are displayed - so that anyone can tell advertis- 
ing from the real thing. Best part? The conference is free! Register via the web- 
site, or contact Jhan Snyder, jsnyder@eventandcompany.com, with questions. 


www.consumerwebwatch.org/ conferences.cfm 


PHP & Open Source Security Conference - Vancouver, BC This will be the 
second conference that Open Source Events has held this year. The conference 
is specifically geared to address the many different areas of security in the PHP 
environment and with open source technologies, including site scripting, 
input validation, secure coding practices and various methods of authentica- 
tion. For more information or to register, visit the website. Questions, contact 
Nathan Brown, 1 (604) 724-6624, fax - 1 (604) 444-9942, info@osevents.com. 
www.osevents.com/ 


Innovate! Europe 2005 - Zaragoza, Spain. Innovate!Europe is a deep look at 
the innovators and innovations that will impact Europe's technology econo- 
my. By turning the spotlight on innovation, European market leaders will see 
where the best promise is for global market leadership and demonstrate how 
Europe will gain stature in the global tech markets. The conference is expected 
to bring together hundreds of senior technology executives, entrepreneurs, 
investors and government officials from across Europe to transform technolo- 
gy innovation and entrepreneurship in Europe. Register on the website. Also, 
suggestions for speakers can be made online. www.innovate-events.com/ 


AeA & Santa Clara University Management Development Program - 
Santa Clara, CA. This Program works with managers and directors of high 
tech companies, teaching core business disciplines and effective management 
techniques to lead innovation and high performance work teams. Register on 
the website, or contact Jeannine Seremi-Banayat, 1 (408) 987-4276, execu- 
tivedevelopment@aeanet.org, for more information. 


www.aeanet.org/Education/HRST100_SCUStart.asp 


O Events Esther plans to attend. 


Lack of a symbol is no indication of lack of merit. The full, current calendar is available on our website, www.release1-O.com. 
Please contact Brodie Crawford (brodie@releasei-O.com) to let us know about other events we should include. 


50 RELEASE 1.0 


WWW.RELEASE1-0.COM 


APRIL 2005 


JUNE 29-30 


JULY 19-21 


AUGUST 1-5 


AUGUST 7-18 


The Where 2.0 Conference - San Francisco, CA. 
Location-based services and mapping are becoming 
mainstream technologies, and the first Where 2.0 will 
exlpore in detail where these services are headed in 
business. Speakers include Tim O'Reilly (O'Reilly 
Media), Udi Manber (A9.com), John Frank 
(MetaCarta), Jeremy Kreitler (Yahoo! Local and Maps) 
and Perry Evans (Aptas). Register on the website, or for 
more information contact Andrew Calvo, 1 (707) 827- 
7176, andrewc@oreilly.com. 


conferences.oreillynet. com/where/ 


Innovation Summit © Stanford University - 
Stanford, CA. The Innovation Summit features execu- 
tive speakers who are some of the most powerful play- 
ers in technology, government, and the social sector. 
Previous speakers included Sergey Brin (Google), Rob 
Glaser (RealNetworks), Michael Powell (FCC 
Chairman), Ronnie Lott (Baseball Hall of Famer) and 
Mark Benioff (Salesforce.com). Register on the website. 
Contact Kathy Osweiler with any questions at 1 (415) 
751-0170, kathy@alwayson-network.com. 


www.alwayson-network.com/events 


OSCON 2005 - Portland, OR. OSCON, or the O'Reilly 
Open Source Convention, will be held at the Oregon 
Convention Center, where participants will enjoy tuto- 
rials, sessions, parties, BOFs, and a huge exhibit hall. 
The Call for Proposals is now open, and registration 
and hotel information will be available soon. Get the 
details as soon as they have them by signing up for the 
OSCON newsletter, or register, on the website. Contact 
Andrew Calvo, 1 (707) 827-7176, andrewc@oreilly.com, 
for more information. 


conferences.oreillynet.com/os2005 


AeA & Stanford Executive Institute - Stanford, CA. 
This conference is designed for technology executives 
with a minimum of 10 years of management experi- 
ence. Eleven nationally distinguished faculty, known for 
their award-winning research and collaboration with 
high tech companies, teach advanced business and 
leadership disciplines and lead discussions on today's 
top industry challenges. Participants learn new per- 
spectives from industry experts and accomplished col- 
leagues from around the world. Register on the website, 
or contact Jeannine Seremi-Banayat, 1 (408) 987-4276, 
executivedevelopment@aeanet.org, for more informa- 
tion. 


www.aeanet.org/Education/HRAP100_StanfordIntro.a 
sp?bhcp=1 


RELEASE 1.0 


51 


Visit our new website: More (free-to-read) columns, ideas, essays, features and con- 
tributors...featuring Rafe’s Radar, a biweekly column by Rafe Needleman. Plus, a new look! 


http://www.release1-O.com 


Release 1.0 Subscription Form 


Complete this form and join the other industry executives who regularly rely on Release 1.0 to stay ahead of the headlines. Or if 


you wish, you can also subscribe online at www.release1-O.com. 


Your annual Release 1.0 subscription costs $795 per year ($850 outside the US, Canada and Mexico), and includes both the print 


and electronic versions of 11 monthly issues; 25% off the cover price when you order from our online archives; a Release 1.0 


binder; the bound transcript of this year’s PC Forum (a $300 value) and an invitation to next year’s PC Forum. 


NAME 


TITLE COMPANY 


ADDRESS 


CITY STATE ZIP 


COUNTRY 


TELEPHONE 


FAX 


E-MAIL* 


URL 


*personal e-mail address required for electronic access. 


My colleagues should read Release 1.0, too! 
Send me information about multiple copy subscriptions and electronic site licenses. 


Check enclosed Charge my (circle one): AMERICAN EXPRESS 


CARD NUMBER 


NAME AND BILLING ADDRESS 


SIGNATURE 


MASTER CARD VISA 


EXPIRATION DATE 


Please fax this form to Brodie Crawford at 1 (212) 924-0240. 


Payment must be included with this form. Your satisfaction is guaranteed or your money back. 


If you wish to pay by check, please mail this form with payment to: EDventure Holdings, 104 Fifth Avenue, 20th Floor, New York, 


NY 10011, USA. If you have any questions, please call us at 1 (212) 924-8800; e-mail us@edventure.com; www.release1-O.com. 


52 RELEASE 1.0 


WWW.RELEASE1-0.COM 


04-05 


